漏洞标题
在矩阵-org/node-irc中解析问题导致房间接管
漏洞描述信息
矩阵-组织/node-irc中的解析问题导致房间被接管
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Parsing issue in matrix-org/node-irc leading to room takeovers
漏洞描述信息
matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Attackers can specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the channel. The vulnerability has been patched in matrix-appservice-irc 0.35.0. As a workaround operators may disable dynamic channel joining via `dynamicChannels.enabled` to prevent users from joining new channels, which prevents any new channels being bridged outside of what is already bridged, and what is specified in the config.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
特权管理不恰当
漏洞标题
Matrix matrix-appservice-irc 资源管理错误漏洞
漏洞描述信息
matrix-appservice-irc是Matrix的一款网桥。这个网桥会将所有 IRC 消息传递给 Matrix,并将所有 Matrix 消息传递给 IRC。 Matrix matrix-appservice-irc 0.35.0 之前版本存在资源管理错误漏洞,攻击者利用该漏洞可以指定特定的字符串,这会使桥接器混淆为将攻击者拥有的频道和现有频道组合在一起,从而允许他们在频道中授予自己权限。
CVSS信息
N/A
漏洞类别
资源管理错误