CVE-2023-38690

CVSS v3.1

5.8

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions matrix-appservice-irc versions prior to 1.0.1

Description The issue allows an attacker to craft a command with newlines that would not be properly parsed, enabling them to pass a string of commands as a channel name, which would then be executed by the IRC bridge bot.

Recommendations For versions prior to 1.0.1, upgrade to version 1.0.1 or above to resolve the issue. As a temporary workaround, consider disabling dynamic channels in the config to disable the most common execution method.

Exploit

Fix

Command Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-20

Related Identifiers

CVE-2023-38690

GHSA-3PMJ-JQQP-2MJ3

Affected Products

Matrix-Appservice-Irc

CVE-2023-38690

Weakness Enumeration

Related Identifiers

Affected Products

References · 9