Rocket.Chat: NoSQL injection in the EE ddp-streamer-service
Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
Affected products
2<7.10.8, >=7.10.0 <7.11.5, >=7.11.0 <7.12.5, >=7.12.0 <7.13.4, >=7.13.0 <8.0.2, >=8.0.0 <8.1.1, >=8.1.0 <8.2.0+ 1 more
- (no CPE)range: <7.10.8, >=7.10.0 <7.11.5, >=7.11.0 <7.12.5, >=7.12.0 <7.13.4, >=7.13.0 <8.0.2, >=8.0.0 <8.1.1, >=8.1.0 <8.2.0
- (no CPE)range: < 7.10.8
Patches
Vulnerability mechanics
References
1- github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-hgq6-9jg2-wf3fmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.