Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNDlxLWp3NDItNng4Nc4AA74Q
thelounge may publicly disclose of all usernames/idents via port 113
Per RFC 1413, The unique identifying tuple includes not only the ports, but also the both addresses. Without the addresses, the information becomes both non-unique and public:
- If multiple connections happen to use the same local port number (which is possible if the addresses differ), the username of the first is returned for all, resulting in the wrong ident for all but the first.
- By not checking the connection address, the information becomes public. Because there is only a relatively small number of local ports, and the remote ports are likely to be either 6667 or 6697, it becomes trivial to scan the entire range to get a list of idents.
To prevent this from happening, disable identd or upgrade to a non vulnerable version.
Permalink: https://github.com/advisories/GHSA-g49q-jw42-6x85JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNDlxLWp3NDItNng4Nc4AA74Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 7 months ago
Updated: 7 months ago
Identifiers: GHSA-g49q-jw42-6x85
References:
- https://github.com/thelounge/thelounge/security/advisories/GHSA-g49q-jw42-6x85
- https://github.com/thelounge/thelounge/pull/4872
- https://github.com/advisories/GHSA-g49q-jw42-6x85
Blast Radius: 0.0
Affected Packages
npm:thelounge
Dependent packages: 11Dependent repositories: 7
Downloads: 1,008 last month
Affected Version Ranges: <= 4.4.3
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.3