Impact
When Hookshot 6 version 6.0.1 or below, or Hookshot 5 version 5.4.1 or below, is configured with GitHub support, it is vulnerable to a Denial of Service (DoS) whereby it can crash on restart due to a missing check. The impact is greater to you untrusted users can add their own GitHub organizations to Hookshot in order to connect their room to a repository.
Patches
N.B. Patch in progress.
Workarounds
Ensure no untrusted users have the manageConnections permission or greater (https://matrix-org.github.io/matrix-hookshot/latest/setup.html#permissions) in Hookshot's configuration.
References
N/A
Impact
When Hookshot 6 version 6.0.1 or below, or Hookshot 5 version 5.4.1 or below, is configured with GitHub support, it is vulnerable to a Denial of Service (DoS) whereby it can crash on restart due to a missing check. The impact is greater to you untrusted users can add their own GitHub organizations to Hookshot in order to connect their room to a repository.
Patches
N.B. Patch in progress.
Workarounds
Ensure no untrusted users have the
manageConnectionspermission or greater (https://matrix-org.github.io/matrix-hookshot/latest/setup.html#permissions) in Hookshot's configuration.References
N/A