Description
IRC allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such modes incorrectly, potentially resulting in the wrong user being given permissions.
Recommendation
Update the matrix-appservice-irc package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.35.0
- Patched version(s): 0.35.0
References
Related Issues
- Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971
- Improper handling of multiline messages in node-irc affects matrix-appservice-irc - CVE-2022-29166
- matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms - CVE-2023-38700
- Parsing issue in matrix-org/node-irc leading to room takeovers - CVE-2022-39203
- Tags:
- npm
- matrix-appservice-irc
Anything's wrong? Let us know Last updated on January 29, 2023