Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
None
User Interaction
Passive
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Affected products
- RocketChat / Rocket.Chat>= 8.5.0-rc.0, < 8.5.0 – >= 8.5.0-rc.0, < 8.5.0
- RocketChat / Rocket.Chat>= 8.4.0-rc.0, < 8.4.2 – >= 8.4.0-rc.0, < 8.4.2
- RocketChat / Rocket.Chat>= 8.3.0-rc.0, < 8.3.4 – >= 8.3.0-rc.0, < 8.3.4
- RocketChat / Rocket.Chat>= 8.2.0-rc.0, < 8.2.4 – >= 8.2.0-rc.0, < 8.2.4
- RocketChat / Rocket.Chat>= 8.1.0-rc.0, < 8.1.5 – >= 8.1.0-rc.0, < 8.1.5
- RocketChat / Rocket.Chat>= 8.0.0-rc.0, < 8.0.6 – >= 8.0.0-rc.0, < 8.0.6
- RocketChat / Rocket.Chat>= 7.11.0-rc.0, < 7.13.8 – >= 7.11.0-rc.0, < 7.13.8
- RocketChat / Rocket.Chat< 7.10.12 – < 7.10.12