CVE-2022-39203 – matrix-appservice-irc

Package

Manager: npm
Name: matrix-appservice-irc
Vulnerable Version: >=0 <0.35.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00203 pctl0.42647

Details

Parsing issue in matrix-org/node-irc leading to room takeovers ### Impact Attackers can specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the channel. ### Patched The vulnerability has been patched in matrix-appservice-irc 0.35.0. ### Workarounds Disable dynamic channel joining via `dynamicChannels.enabled` to prevent users from joining new channels, which prevents any new channels being bridged outside of what is already bridged, and what is specified in the config. ### References - https://matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity ### Credits Discovered and reported by [Val Lorentz](https://valentin-lorentz.fr/). ### For more information If you have any questions or comments about this advisory email us at [security@matrix.org](mailto:security@matrix.org).

Metadata

Created: 2022-09-15T03:26:10Z
Modified: 2022-10-07T16:25:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-xvqg-mv25-rwvw/GHSA-xvqg-mv25-rwvw.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-xvqg-mv25-rwvw
Finding: F159
Auto approve: 1