Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1289454 > unrolled thread

Bug#1133700: lambdaisland-uri-clojure: CVE-2023-28628

Started bySalvatore Bonaccorso <carnil@debian.org>
First post2026-04-13 21:50 +0200
Last post2026-04-13 21:50 +0200
Articles 1 — 1 participant

Back to article view | Back to linux.debian.bugs.dist

Contents

  Bug#1133700: lambdaisland-uri-clojure: CVE-2023-28628 Salvatore Bonaccorso <carnil@debian.org> - 2026-04-13 21:50 +0200

#1289454 — Bug#1133700: lambdaisland-uri-clojure: CVE-2023-28628

FromSalvatore Bonaccorso <carnil@debian.org>
Date2026-04-13 21:50 +0200
SubjectBug#1133700: lambdaisland-uri-clojure: CVE-2023-28628
Message-ID<MJvsd-eTVa-1@gated-at.bofh.it>
Source: lambdaisland-uri-clojure
Version: 1.13.95-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for lambdaisland-uri-clojure.

CVE-2023-28628[0]:
| lambdaisland/uri is a pure Clojure/ClojureScript URI library. In
| versions prior to 1.14.120 `authority-regex` allows an attacker to
| send malicious URLs to be parsed by the `lambdaisland/uri` and
| return the wrong authority. This issue is similar to but distinct
| from CVE-2020-8910. The regex in question doesn't handle the
| backslash (`\`) character in the username correctly, leading to a
| wrong output. ex. a payload of `https://example.com\\@google.com`
| would return that the host is `google.com`, but the correct host
| should be `example.com`. Given that the library returns the wrong
| authority this may be abused to bypass host restrictions depending
| on how the library is used in an application. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28628
    https://www.cve.org/CVERecord?id=CVE-2023-28628
[1] https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5
[2] https://github.com/lambdaisland/uri/commit/67063ed439dd0843536f27e8cde40a8a7d69f37b

Regards,
Salvatore

[toc] | [standalone]

Back to top | Article view | linux.debian.bugs.dist

csiph-web