GHSA-g49q-jw42-6x85
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g49q-jw42-6x85
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g49q-jw42-6x85/GHSA-g49q-jw42-6x85.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g49q-jw42-6x85
- Published
- 2024-05-09T21:31:35Z
- Modified
- 2024-05-09T21:31:35Z
- Summary
- thelounge may publicly disclose of all usernames/idents via port 113
- Details
-
Per RFC 1413, The unique identifying tuple includes not only the ports, but also the both addresses. Without the addresses, the information becomes both non-unique and public: - If multiple connections happen to use the same local port number (which is possible if the addresses differ), the username of the first is returned for all, resulting in the wrong ident for all but the first. - By not checking the connection address, the information becomes public. Because there is only a relatively small number of local ports, and the remote ports are likely to be either 6667 or 6697, it becomes trivial to scan the entire range to get a list of idents.
To prevent this from happening, disable identd or upgrade to a non vulnerable version.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-05-09T21:31:35Z" }- References
Affected packages
npm / thelounge
Package
- Name
- thelounge
- View open source insights on deps.dev
- Purl
- pkg:npm/thelounge