3.13.0

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

rocket-chat

critical

NVD

Published: 2021-05-27

Updated: 2022-08-30

Summary

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

Vulnerable Configurations

Part	Description	Count
Application	Rocket.Chat Rocket.Chat Rocket.Chat 3.11.0 Rocket.Chat Rocket.Chat 3.12.0 Rocket.Chat Rocket.Chat 3.13.0	3

References

https://hackerone.com/reports/1130721
http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
http://packetstormsecurity.com/files/163419/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
https://blog.sonarsource.com/nosql-injections-in-rocket-chat