GHSA-3PMJ-JQQP-2MJ3 matrix-appservice-irc IRC command injection via admin commands containing newlines

Impact It is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Patches Versions 1.0.1 and above are patched. Workarounds There are no robust workaround...

matrix-appservice-irc IRC command injection via admin commands containing newlines

Impact It is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Patches Versions 1.0.1 and above are patched. Workarounds There are no robust workaround...

matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms

Impact It was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Patches Please upgrade to 1.0.1. Workarounds You can set the matrixHandler.eventCacheSize config value to 0 to workaround this...

GHSA-C7HH-3V6C-FJ4Q matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms

Impact It was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Patches Please upgrade to 1.0.1. Workarounds You can set the matrixHandler.eventCacheSize config value to 0 to workaround this...

GHSA-CQ7Q-5C67-W39W matrix-appservice-irc vulnerable to IRC mode parameter confusion

Impact IRC allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such modes incorrectly, potentially resulting in the wrong user being given permissions. Mode command...

GHSA-XVQG-MV25-RWVW Parsing issue in matrix-org/node-irc leading to room takeovers

Impact Attackers can specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the channel. Patched The vulnerability has been patched in matrix-appservice-irc 0.35.0...