Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-38700

LOW
Published 2023-08-04T18:05:43.187Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-38700. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
3.5
/10
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.003
probability
of exploitation in the wild

There is a 0.3% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.498
Higher than 49.8% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED

Impact Metrics

Confidentiality
LOW
Integrity
NONE
Availability
NONE

Description

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

matrix-org

matrix-appservice-irc

Affected Versions:

< 1.0.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms

GHSA-c7hh-3v6c-fj4q

Advisory Details

### Impact It was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. ### Patches Please upgrade to 1.0.1. ### Workarounds You can set the `matrixHandler.eventCacheSize` config value to `0` to workaround this bug. However, this may impact performance. ### Credits Discovered and reported by [Val Lorentz](https://valentin-lorentz.fr/). ### For more information If you have any questions or comments about this advisory email us at [[email protected]](mailto:[email protected]).

Affected Packages

npm matrix-appservice-irc
ECOSYSTEM: ≥0 <1.0.1

CVSS Scoring

CVSS Score

2.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

References

WEB https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-38700
WEB https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75
PACKAGE https://github.com/matrix-org/matrix-appservice-irc
WEB https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1

Advisory provided by GitHub Security Advisory Database. Published: August 4, 2023, Modified: August 4, 2023

References

https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q
https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1
Published: 2023-08-04T18:05:43.187Z
Last Modified: 2024-10-03T18:08:51.929Z
Copied to clipboard!