PT-2022-19424 · Node-Irc+1 · Node-Irc+1

Dkasak

Published

2022-05-05

Updated

2022-05-23

CVE-2022-29166

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions matrix-appservice-irc versions prior to 0.33.2

Description The issue allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. This is due to a vulnerability in the node-irc component of the matrix-appservice-irc software. Users should refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms to minimize the risk.

Recommendations For versions prior to 0.33.2, update to version 0.33.2 to resolve the issue. As a temporary workaround, consider refraining from replying to messages from untrusted participants in IRC-bridged Matrix rooms until the update is applied.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-93

Related Identifiers

CVE-2022-29166

GHSA-37HR-348P-RMF4

GHSA-52RH-5RPJ-C3W6

Affected Products

Matrix-Appservice-Irc

Node-Irc

PT-2022-19424 · Node-Irc+1 · Node-Irc+1

CVE-2022-29166

Weakness Enumeration

Related Identifiers

Affected Products

References · 14