Cyber Resilience

CVE-2023-28628

MediumPublic PoC

Published: 27 March 2023

Published
27 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS Score 0.0023 45.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28628 is a medium-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Lambdaisland Uri. Its CVSS base score is 5.4 (Medium).

Operationally, ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910.…

more

The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lambdaisland
uri
≤ 1.14.120

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References