matrix-appservice-irc@0.19.0-rc1 vulnerabilities

An IRC Bridge for Matrix

Direct Vulnerabilities

Known vulnerabilities in the matrix-appservice-irc package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

matrix-appservice-irc is an An IRC Bridge for Matrix

Affected versions of this package are vulnerable to Information Exposure due to improper verification of user permissions before constructing a reply to an event. An attacker can leak the truncated body of a message by sending a Matrix reply to an event ID they do not have access to.

Note: This works if the attacker knows the event ID and is joined to both the Matrix room and the IRC channel it is bridged to.

How to fix Information Exposure?

A fix was pushed into the master branch but not yet published.

*
  • L
Information Exposure

matrix-appservice-irc is an An IRC Bridge for Matrix

Affected versions of this package are vulnerable to Information Exposure via events that can be crafted to leak parts of targeted messages from other bridged rooms. Note: This is exploitable only when knowing an event ID to target.

How to fix Information Exposure?

A fix was pushed into the master branch but not yet published.

*
  • M
Command Injection

matrix-appservice-irc is an An IRC Bridge for Matrix

Affected versions of this package are vulnerable to Command Injection when crafting a command with newlines which would then be run by the IRC bridge bot. This is because it is not properly parsed.

How to fix Command Injection?

A fix was pushed into the master branch but not yet published.

*
  • M
SQL Injection

matrix-appservice-irc is an An IRC Bridge for Matrix

Affected versions of this package are vulnerable to SQL Injection via the roodIds argument, in src/datastore/postgres/PgDataStore.ts.

How to fix SQL Injection?

Upgrade matrix-appservice-irc to version 0.35.1 or higher.

<0.35.1
  • H
Incorrect Privilege Assignment

matrix-appservice-irc is an An IRC Bridge for Matrix

Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to improper string characters validation, which makes it possible to provide a maliciously crafted string that would confuse the bridge into combining an attacker-owned channel and an existing channel, which allows granting permissions in the channel.

How to fix Incorrect Privilege Assignment?

Upgrade matrix-appservice-irc to version 0.35.0 or higher.

<0.35.0
  • M
Improper Access Control

matrix-appservice-irc is an An IRC Bridge for Matrix

Affected versions of this package are vulnerable to Improper Access Control due to improper parsing of modes bug in the upstream matrix-org-irc package, which might result in assigning permissions to the wrong user.

How to fix Improper Access Control?

Upgrade matrix-appservice-irc to version 0.35.0 or higher.

<0.35.0