CVE Catalog

CVE-2023-38700

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.49%

38th percentile — higher than 38% of all known CVEs

Summary

In versions prior to 1.0.1, matrix-appservice-irc allowed crafting an event that could leak part of a message from another bridged room. This required knowing the event ID to target.

Risk Assessment

The organization may be exposed to leaks of sensitive information from other rooms, potentially compromising user privacy.

Recommendation

It is recommended to upgrade to version 1.0.1 or apply the workaround by setting the `matrixHandler.eventCacheSize` config value to `0`, keeping in mind the potential impact on performance.

Original NVD description (English source)

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS