CVE-2023-43656

Name of the Vulnerable Software and Affected Versions matrix-hookshot versions prior to 4.5.0

Description The issue affects matrix-hookshot, a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. Instances with enabled transformation functions, specifically those that have generic.allowJsTransformationFunctions in their config, may be vulnerable to an attack where it is possible to break out of the vm2 sandbox. This problem is more likely to affect users who have allowed untrusted users to apply their own transformation functions. The threat is reduced, though not eliminated, for users who have only enabled a limited set of trusted users.

Recommendations For versions prior to 4.5.0, upgrade to version 4.5.0 or above, which includes a new sandbox library for better protection. For users unable to upgrade, disable generic.allowJsTransformationFunctions in the config as a temporary workaround.