What is CVE-2022-39202?

CVE-2022-39202 refers to a vulnerability in matrix-appservice-irc, an open source Node.js IRC bridge for Matrix, which allows an attacker to execute arbitrary code by sending specially crafted IRC messages.

How does CVE-2022-39202 impact the affected software?

CVE-2022-39202 can lead to remote code execution in versions of matrix-appservice-irc up to and including 0.35.0.

What is the severity of CVE-2022-39202?

CVE-2022-39202 has a severity score of 6.3 out of 10, indicating a medium severity.

How can I fix CVE-2022-39202?

To fix CVE-2022-39202, it is recommended to upgrade to matrix-appservice-irc version 0.36.0 or later, which includes a patch for the vulnerability.

Are there any additional references for CVE-2022-39202?

Yes, you can find additional information and resources on CVE-2022-39202 in the following links: [GitHub Commit](https://github.com/matrix-org/matrix-appservice-irc/commit/5f87dbed87b4b6dc49b7965ff152ee8535719e67), [GitHub Security Advisory](https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-cq7q-5c67-w39w), [Matrix Blog Post](https://matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity/).

Vulnerability/
CVE-2022-39202

medium

6.3

CWE

269

13/9/2022

3/8/2024

CVE-2022-39202: IRC mode parameter confusion in matrix-appservice-irc

First published: Tue Sep 13 2022(Updated: )

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. The Internet Relay Chat (IRC) protocol allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such modes incorrectly, potentially resulting in the wrong user being given permissions. Mode commands can only be executed by privileged users, so this can only be abused if an operator is tricked into running the command on behalf of an attacker. The vulnerability has been patched in matrix-appservice-irc 0.35.0. As a workaround users should refrain from entering mode commands suggested by untrusted users. Avoid using multiple modes in a single command.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Matrix Matrix Irc Bridge	<0.35.0

Remedy

https://github.com/matrix-org/matrix-appservice-irc/commit/5f87dbed87b4b6dc49b7965ff152ee8535719e67

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-39202?
CVE-2022-39202 refers to a vulnerability in matrix-appservice-irc, an open source Node.js IRC bridge for Matrix, which allows an attacker to execute arbitrary code by sending specially crafted IRC messages.
How does CVE-2022-39202 impact the affected software?
CVE-2022-39202 can lead to remote code execution in versions of matrix-appservice-irc up to and including 0.35.0.
What is the severity of CVE-2022-39202?
CVE-2022-39202 has a severity score of 6.3 out of 10, indicating a medium severity.
How can I fix CVE-2022-39202?
To fix CVE-2022-39202, it is recommended to upgrade to matrix-appservice-irc version 0.36.0 or later, which includes a patch for the vulnerability.
Are there any additional references for CVE-2022-39202?
Yes, you can find additional information and resources on CVE-2022-39202 in the following links: [GitHub Commit](https://github.com/matrix-org/matrix-appservice-irc/commit/5f87dbed87b4b6dc49b7965ff152ee8535719e67), [GitHub Security Advisory](https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-cq7q-5c67-w39w), [Matrix Blog Post](https://matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity/).

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/author
agent/severity
agent/remedy
agent/weakness
agent/title
agent/description
agent/first-publish-date
agent/event
agent/tags
vendor/matrix
canonical/matrix matrix irc bridge