In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.
The vulnerability results from improper input validation in the context of NoSQL database queries. When an OAuth application is configured in the Rocket.Chat instance, an attacker can craft a malicious query containing NoSQL operators, thereby bypassing authentication mechanisms. As a result, it is possible to locate and take over the account of the first user for whom an access token was generated.
An unauthenticated attacker can completely take over a user account (account takeover), gaining full access to their data, messages, and permissions within the Rocket.Chat instance.
Rocket.Chat must be immediately updated to version 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, or 7.10.9 (depending on the branch in use). As a temporary measure, consider disabling configured OAuth applications until the patch is deployed. Details available in the vendor's pull request: https://github.com/RocketChat/Rocket.Chat/pull/39492.
Rocket.Chat in versions: below 8.3.0, below 8.2.1, below 8.1.2, below 8.0.3, below 7.13.5, below 7.12.6, below 7.11.6, and below 7.10.9 — only when an OAuth application is configured.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRocket.chat
APPRocket.Chat8.3.07.11.0 – 7.11.6 (bez)7.12.0 – 7.12.6 (bez)7.13.0 – 7.13.5 (bez)< 7.10.98.1.0 – 8.1.2 (bez)8.2.0 – 8.2.1 (bez)8.0.0 – 8.0.3 (bez)
Related vulnerabilities
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerab...
Rocket.Chat — pominięcie await powoduje auth bypass w ddp-streamer
A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where o...
A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a...
A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed quer...