GHSA-g49q-jw42-6x85: thelounge may publicly disclose of all usernames/idents via port 113
Per RFC 1413, The unique identifying tuple includes not only the ports, but also the both addresses. Without the addresses, the information becomes both non-unique and public:
- If multiple connections happen to use the same local port number (which is possible if the addresses differ), the username of the first is returned for all, resulting in the wrong ident for all but the first.
- By not checking the connection address, the information becomes public. Because there is only a relatively small number of local ports, and the remote ports are likely to be either 6667 or 6697, it becomes trivial to scan the entire range to get a list of idents.
To prevent this from happening, disable identd or upgrade to a non vulnerable version.
References
Detect and mitigate GHSA-g49q-jw42-6x85 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →