Wiz
Vulnerability DatabaseCVE-2022-3971

CVE-2022-3971
JavaScript vulnerability analysis and mitigation

Overview

A critical vulnerability (CVE-2022-3971) was discovered in matrix-appservice-irc versions up to 0.35.1. The vulnerability was related to SQL injection through roomId values when checking room visibility. This security issue affected the Matrix IRC bridge software, which is used to connect Matrix and IRC networks (NVD).

Technical details

The vulnerability was identified as a SQL injection risk in the room visibility checking functionality. The issue specifically occurred in the getRoomsVisibility function where roomId values were directly interpolated into SQL queries without proper parameterization. The vulnerability received a CVSS v3.1 score of 9.8 (CRITICAL) (NVD).

Impact

While classified as critical, this was characterized as a low-risk SQL injection vulnerability. To exploit this vulnerability, an attacker would need to be able to set malicious Matrix IDs in the room mappings (GitHub PR).

Mitigation and workarounds

The vulnerability was fixed in version 0.36.0 released on October 25, 2022. The fix involved properly parameterizing SQL queries when checking room visibility, preventing the SQL injection vector. The solution implemented prepared statements instead of direct string interpolation for SQL queries (Matrix Release).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo