Main Vulnerability Database SB2021041625

SB2021041625 - Improper input validation in Rocket.Chat

Published: April 16, 2021

Security Bulletin ID SB2021041625

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) NoSQL Injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary NoSQL code in the database.

The vulnerability exists due to improper input validation. A remote non-authenticated attacker can send a specially crafted request and execute arbitrary NoSQL code in the database.

Successful exploitation of this vulnerability may result in account takeover.

Remediation

Install update from vendor's website.

References

https://github.com/RocketChat/Rocket.Chat/releases/tag/3.11.4
https://docs.rocket.chat/guides/security/security-updates
https://github.com/RocketChat/Rocket.Chat/releases/tag/3.12.4
https://github.com/RocketChat/Rocket.Chat/releases/tag/3.13.2