Lucene search

GoogleOSV:CVE-2023-38700

HistoryAug 04, 2023 - 7:15 p.m.

CVE-2023-38700

2023-08-0419:15:09

Google

osv.dev

cve-2023-38700

node.js

irc

event leakage

fix

workaround

performance

software

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

35.0%

JSON

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the matrixHandler.eventCacheSize config value to 0. This workaround may impact performance.

References

github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75

github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1

github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

35.0%

JSON

Related for OSV:CVE-2023-38700