Lucene search

[email protected]NVD:CVE-2023-38700

HistoryAug 04, 2023 - 7:15 p.m.

CVE-2023-38700

2023-08-0419:15:09

CWE-200

[email protected]

web.nvd.nist.gov

matrix-appservice-irc

node.js

irc bridge

cve-2023-38700

event leakage

targeted message

version 1.0.1n

workaround

config value

performance impact

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

3.8

Confidence

High

EPSS

0.001

Percentile

35.0%

JSON

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the matrixHandler.eventCacheSize config value to 0. This workaround may impact performance.

Affected configurations

Nvd

Node

matrixmatrix_irc_bridgeRange<1.0.1node.js

VendorProductVersionCPE
matrixmatrix_irc_bridge*cpe:2.3:a:matrix:matrix_irc_bridge:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
matrix	matrix_irc_bridge	*	cpe:2.3:a:matrix:matrix_irc_bridge::::::node.js::*

References

github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75

github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1

github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

3.8

Confidence

High

EPSS

0.001

Percentile

35.0%

JSON

Related for NVD:CVE-2023-38700

prion1 github1 cvelist1 veracode1 osv2 cve1