CVE-2023-38700

Published: Aug 4, 2023

Modified: Oct 3, 2024

PUBLISHED

CVSS v3.1

3.5

LOW

Description

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.

Vendor	Product	Versions
matrix-org	matrix-appservice-irc	affected `< 1.0.1`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q

x_refsource_CONFIRM

https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75

x_refsource_MISC

https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-38700

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References