Today we are announcing security updates for several of our bridges.
- matrix-appservice-irc 1.0.1 affected by GHSA-vc7j-h8xg-fv5x CVE-2023-38691, GHSA-3pmj-jqqp-2mj3 / CVE-2023-38690, and GHSA-c7hh-3v6c-fj4q
- matrix-hookshot 4.4.1 affected by GHSA-vc7j-h8xg-fv5x / CVE-2023-38691
- matrix-appservice-slack 2.1.2 affected by GHSA-vc7j-h8xg-fv5x / CVE-2023-38691
In addition we have released matrix-appservice-bridge 9.0.1 (and backported to 8.1.2) which patches GHSA-vc7j-h8xg-fv5x.
All mentioned bridges are affected by a vulnerability in the provisioning interfaces of these bridges. If you are unable to upgrade, please disable provisioning for now (which should be documented in the relevant bridge sample config).
- IRC bridge config
- Set
provisioning.enabled
to false.
- Set
- Slack bridge config
- Set
provisioning.enabled
to false.
- Set
- Hookshot config
- Remove the
widgets
resource (NOT provisioning)
- Remove the
The IRC bridge is also affected by two additional vulnerabilities. In this case, we would recommend upgrading immediately rather than working around the problems.
Disclosures for these vulnerabilities, as well as CVE numbers will be out in three days (Thursday 3rd).
We advise to upgrade as soon as possible.
If you have further questions, please reach out on security@matrix.org
The Foundation needs you
The Matrix.org Foundation is a non-profit and only relies on donations to operate. Its core mission is to maintain the Matrix Specification, but it does much more than that.
It maintains the matrix.org homeserver and hosts several bridges for free. It fights for our collective rights to digital privacy and dignity.
Support us