CVE-2023-38700: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2023-38700 affects matrix-appservice-irc, a Node.js IRC bridge for Matrix, prior to version 1.0.1. The vulnerability was discovered and reported by Val Lorentz, and was disclosed on August 4, 2023. The issue allowed attackers to craft events that could leak parts of targeted message events from other bridged rooms, provided they knew the specific event ID to target (Matrix Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 3.7 LOW (NIST) and 3.5 LOW (GitHub), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N. The issue stems from the event caching mechanism in the MatrixHandler class, where events could be accessed across room boundaries due to improper cache key management (GitHub Patch).

The vulnerability allows attackers to access parts of message content from other bridged rooms, leading to potential information disclosure. The impact is limited as it requires the attacker to know the specific event ID they want to target, and only allows access to cached message content (Matrix Advisory).

The vulnerability has been patched in version 1.0.1 of matrix-appservice-irc. As a workaround, administrators can set the matrixHandler.eventCacheSize config value to 0, though this may impact performance. It is strongly recommended to upgrade to the patched version (Matrix Release).