2.4 KiB
+++ date = "2023-07-31T11:40:00Z" title = "Bridges Security Update"
[taxonomies] author = ["Integrations Team", "Matrix Security Team"] category = ["Bridges", "Security"] +++
Today we are announcing security updates for several of our bridges.
- matrix-appservice-irc 1.0.1 affected by GHSA-vc7j-h8xg-fv5x CVE-2023-38691, GHSA-3pmj-jqqp-2mj3 / CVE-2023-38690, and GHSA-c7hh-3v6c-fj4q
- matrix-hookshot 4.4.1 affected by GHSA-vc7j-h8xg-fv5x / CVE-2023-38691
- matrix-appservice-slack 2.1.2 affected by GHSA-vc7j-h8xg-fv5x / CVE-2023-38691
In addition we have released matrix-appservice-bridge 9.0.1 (and backported to 8.1.2) which patches GHSA-vc7j-h8xg-fv5x.
All mentioned bridges are affected by a vulnerability in the provisioning interfaces of these bridges. If you are unable to upgrade, please disable provisioning for now (which should be documented in the relevant bridge sample config).
- IRC bridge config
- Set
provisioning.enabledto false.
- Set
- Slack bridge config
- Set
provisioning.enabledto false.
- Set
- Hookshot config
- Remove the
widgetsresource (NOT provisioning)
- Remove the
The IRC bridge is also affected by two additional vulnerabilities. In this case, we would recommend upgrading immediately rather than working around the problems.
Disclosures for these vulnerabilities, as well as CVE numbers will be out in three days (Thursday 3rd).
We advise to upgrade as soon as possible.
If you have further questions, please reach out on security@matrix.org