CVE-2023-38700
matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.
matrix-appservice-irc es un puente IRC Node.js para Matrix. Antes de la versión 1.0.1, era posible crear un evento de forma que filtrara parte de un evento de mensaje objetivo de otra sala puenteada. Esto requería conocer un ID de evento al que apuntar. La versión 1.0.1n corrige este problema. Como solución, establezca el valor de configuración `matrixHandler.eventCacheSize` a `0`. Esta solución puede afectar al rendimiento.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-07-24 CVE Reserved
- 2023-08-04 CVE Published
- 2024-09-05 EPSS Updated
- 2024-10-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1 | Release Notes |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75 | 2023-08-11 |
URL | Date | SRC |
---|---|---|
https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q | 2023-08-11 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Matrix Search vendor "Matrix" | Matrix Irc Bridge Search vendor "Matrix" for product "Matrix Irc Bridge" | < 1.0.1 Search vendor "Matrix" for product "Matrix Irc Bridge" and version " < 1.0.1" | node.js |
Affected
|