4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39691

GHSA ID

GHSA-w9mh-5x8j-9754

EPSS Score

0.13098%

CWE

CWE-280

Published

7/5/2024

Updated

7/5/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39691

CVE-2024-39691:
Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to

Impact

The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when determining whether or not to include a truncated version of the original event in the IRC message. Since this value is controlled by external entities, a malicious Matrix homeserver joined to a room in which a matrix-appservice-irc bridge instance (before version 2.0.1) is present can fabricate the timestamp with the intent of tricking the bridge into leaking room messages the homeserver should not have access to.

Patches

matrix-appservice-irc 2.0.1 drops the reliance on origin_server_ts when determining whether or not an event should be visible to a user, instead tracking the event timestamps internally.

Workarounds

It's possible to limit the amount of information leaked by setting a reply template that doesn't contain the original message. See these lines in the configuration file.

References

Patch: https://github.com/matrix-org/matrix-appservice-irc/pull/1804

For more information

If you have any questions or comments about this advisory, please email us at security at matrix.org.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39691

GHSA ID

GHSA-w9mh-5x8j-9754

EPSS Score

0.13098%

CWE

CWE-280

Published

7/5/2024

Updated

7/5/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-appservice-irc	npm	<= 2.0.0	2.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from using event.origin_server_ts (controlled by external homeservers) to determine message visibility in member join tracking. The commit diff shows this timestamp was replaced with Date.now() in MatrixHandler.ts's _onMemberEvent method, indicating this was the vulnerable function. The function's reliance on untrusted input for security decisions directly matches the CWE-280 (Improper Permission Handling) described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *ix *or **S*-wm*w-***q-*p** / [*V*-****-*****](*ttps://www.*v*.or*/*V*R**or*?i*=*V*-****-*****) in*lu*** in m*trix-*pps*rvi**-ir* *.*.* r*li** on t** M*trix *om*s*rv*r-provi*** tim*st*mp to **t*rmin* w**t**r * us*r **s ****ss to t** *

Reasoning

T** vuln*r**ility st*mm** *rom usin* *v*nt.ori*in_s*rv*r_ts (*ontroll** *y *xt*rn*l *om*s*rv*rs) to **t*rmin* m*ss*** visi*ility in m*m**r join tr**kin*. T** *ommit *i** s*ows t*is tim*st*mp w*s r*pl**** wit* **t*.now() in M*trix**n*l*r.ts's _onM*m**

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-39691: Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to

Impact

Patches

Workarounds

References

For more information

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-39691:
Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to

Vulnerability Intelligence
Miggo AI