Vulnerability Details : CVE-2023-38700
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.
Vulnerability category: Information leak
Products affected by CVE-2023-38700
- cpe:2.3:a:matrix:matrix_irc_bridge:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38700
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38700
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
2.2
|
1.4
|
NIST | |
|
3.5
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N |
1.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-38700
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-38700
-
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1
Release 1.0.1 (2023-07-31) · matrix-org/matrix-appservice-irc · GitHubRelease Notes
-
https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75
Merge pull request from GHSA-c7hh-3v6c-fj4q · matrix-org/matrix-appservice-irc@8bbd2b6 · GitHubPatch
-
https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q
Events can be crafted to leak parts of targeted messages from other bridged rooms · Advisory · matrix-org/matrix-appservice-irc · GitHubVendor Advisory
Jump to