CVE-2024-32000

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Apr 12, 2024
Updated: Apr 15, 2024
CWE ID 755
CWE ID 280

Summary

CVE-2024-32000 is a vulnerability affecting matrix-appservice-irc, a Node.js IRC bridge for the Matrix messaging protocol. This issue allows a malicious user to leak the truncated body of a message if they reply to an event ID they don't have access to. The attack requires the user to know the event ID and be joined to both the Matrix room and the IRC channel it is bridged to. The leaked message content becomes visible to IRC channel members. To mitigate this issue, users are advised to upgrade to version 2.0.0, which checks for user permissions before constructing a reply. Administrators can also limit the information leaked by setting a reply template without the original message content. (Lines 601-604 in the configuration file)

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share