Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected products
- RocketChat / Rocket.Chat>= 8.5.0-rc.0, < 8.5.0 – >= 8.5.0-rc.0, < 8.5.0
- RocketChat / Rocket.Chat>= 8.4.0-rc.0, < 8.4.1 – >= 8.4.0-rc.0, < 8.4.1
- RocketChat / Rocket.Chat>= 8.3.0-rc.0, < 8.3.3 – >= 8.3.0-rc.0, < 8.3.3
- RocketChat / Rocket.Chat>= 8.2.0-rc.0, < 8.2.3 – >= 8.2.0-rc.0, < 8.2.3
- RocketChat / Rocket.Chat>= 8.1.0-rc.0, < 8.1.4 – >= 8.1.0-rc.0, < 8.1.4
- RocketChat / Rocket.Chat>= 8.0.0-rc.0, < 8.0.5 – >= 8.0.0-rc.0, < 8.0.5
- RocketChat / Rocket.Chat>= 7.11.0-rc.0, < 7.13.7 – >= 7.11.0-rc.0, < 7.13.7
- RocketChat / Rocket.Chat< 7.10.11 – < 7.10.11