Vulnerability Details : CVE-2023-38690
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Versions 1.0.1 and above are patched. There are no robust workarounds to the bug. One may disable dynamic channels in the config to disable the most common execution method but others may exist.
Vulnerability category: Input validation
Products affected by CVE-2023-38690
- cpe:2.3:a:matrix:matrix_irc_bridge:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38690
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38690
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
5.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-38690
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-38690
-
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1
Release 1.0.1 (2023-07-31) · matrix-org/matrix-appservice-irc · GitHubRelease Notes
-
https://github.com/matrix-org/matrix-appservice-irc/commit/0afb064635d37e039067b5b3d6423448b93026d3
Add a test to ensure that the irc client state doesn't bloat on VERSI… · matrix-org/matrix-appservice-irc@0afb064 · GitHubPatch
-
https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-3pmj-jqqp-2mj3
IRC command injection via admin commands containing newlines · Advisory · matrix-org/matrix-appservice-irc · GitHubThird Party Advisory
Jump to