First published: Mon Aug 09 2021(Updated: )
A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint which could result in a NoSQL injection, potentially leading to RCE.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Rocket.Chat Livechat | <3.11.4 | |
Rocket.Chat Livechat | >=3.12.0<3.12.4 | |
Rocket.Chat Livechat | >=3.13.0<3.13.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-22910 is considered a high severity vulnerability due to the potential for NoSQL injection leading to remote code execution.
To fix CVE-2021-22910, upgrade the Rocket.Chat server to version 3.13.3 or later, or 3.12.5 or later, or 3.11.5 or later.
CVE-2021-22910 affects Rocket.Chat server versions prior to 3.13.2, 3.12.4, and 3.11.4.
CVE-2021-22910 can be exploited through a NoSQL injection attack, which may allow an attacker to execute arbitrary code.
Yes, CVE-2021-22910 is present in versions of Rocket.Chat prior to 3.11.4, including 3.12.x and 3.13.x.