Skip to content

thelounge may publicly disclose of all usernames/idents via port 113

Low severity GitHub Reviewed Published May 9, 2024 in thelounge/thelounge • Updated May 9, 2024

Package

npm thelounge (npm)

Affected versions

<= 4.4.3

Patched versions

None

Description

Per RFC 1413, The unique identifying tuple includes not only the ports, but also the both addresses. Without the addresses, the information becomes both non-unique and public:

  • If multiple connections happen to use the same local port number (which is possible if the addresses differ), the username of the first is returned for all, resulting in the wrong ident for all but the first.
  • By not checking the connection address, the information becomes public. Because there is only a relatively small number of local ports, and the remote ports are likely to be either 6667 or 6697, it becomes trivial to scan the entire range to get a list of idents.

To prevent this from happening, disable identd or upgrade to a non vulnerable version.

References

@brunnre8 brunnre8 published to thelounge/thelounge May 9, 2024
Published to the GitHub Advisory Database May 9, 2024
Reviewed May 9, 2024
Last updated May 9, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-g49q-jw42-6x85

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.