// For flags

CVE-2023-38700

matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms

Severity Score

3.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.

matrix-appservice-irc es un puente IRC Node.js para Matrix. Antes de la versión 1.0.1, era posible crear un evento de forma que filtrara parte de un evento de mensaje objetivo de otra sala puenteada. Esto requería conocer un ID de evento al que apuntar. La versión 1.0.1n corrige este problema. Como solución, establezca el valor de configuración `matrixHandler.eventCacheSize` a `0`. Esta solución puede afectar al rendimiento.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-07-24 CVE Reserved
  • 2023-08-04 CVE Published
  • 2024-09-05 EPSS Updated
  • 2024-10-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Matrix
Search vendor "Matrix"
Matrix Irc Bridge
Search vendor "Matrix" for product "Matrix Irc Bridge"
< 1.0.1
Search vendor "Matrix" for product "Matrix Irc Bridge" and version " < 1.0.1"
node.js
Affected