SB2021030102 - Multiple vulnerabilities in Rocket.Chat Server

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can bypass implemented security restrictions. No additional details are available yet.

2) Improper Authentication (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to unspecified error, related to SAML implementation. A remote attacker can bypass authentication process and gain unauthorized access to the application.

3) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to unspecified error. A remote attacker can bypass implemented security restrictions. No additional details are available yet.

Remediation

Install update from vendor's website.

References

• https://github.com/RocketChat/Rocket.Chat/releases/tag/3.12.0
• https://docs.rocket.chat/guides/security/security-updates
• https://github.com/RocketChat/Rocket.Chat/releases/tag/3.11.2
• https://github.com/RocketChat/Rocket.Chat/releases/tag/3.10.6