CVE-2024-39691 Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when...

CVE-2024-32000

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a precondition to the attack,...

CVE-2024-32000 Truncated content of messages can be leaked from matrix-appservice-irc

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a precondition to the attack,...

CVE-2024-32000

Matrix-appservice-irc (Node.js IRC bridge) before version 2.0.0 could leak the truncated body of a message when a malicious user replies to an event they shouldn’t access, provided they know the event ID and are in both the Matrix room and the bridged IRC channel. The root cause involved reliance...