- Print
- DarkLight
- PDF
Rocket.Chat Security Fixes, Updates, and Advisories
- Print
- DarkLight
- PDF
This document provides comprehensive information on security updates, advisories, and patched vulnerabilities in Rocket.Chat products.
Security Fixes and Updates
Rocket.Chat regularly updates and addresses recently patched security issues. To report security issues, please refer to our Responsible Disclosure Policy. We value and appreciate your contributions to keeping Rocket.Chat secure.
New Issues: Security issues are initially listed without detailed descriptions to allow administrators and users time to update. Detailed information is provided with the next version release. For example, fixes introduced in the version
x.1
will be elaborated upon in the versionx.2
.Legacy Versions: Due to significant code differences, providing fixes for legacy versions is increasingly challenging. Therefore, we focus on maintaining and updating the most recent versions. For details on supported versions, refer to our support center.
Staying Informed: Stay up to date on new version updates by subscribing to our newsletters or enabling announcements in Rocket.Chat server administration settings. We recommend promptly updating to the latest version to ensure you have the newest security fixes.
Known Vulnerabilities
All identified vulnerabilities in our product are addressed by assigning a Common Vulnerabilities and Exposures (CVE) identifier. For more details, refer to our CVEs list.
Rocket.Chat Security Advisories
The Security Advisories section provides information on security vulnerabilities reported and fixed in Rocket.Chat products.
Disclosure Timeline: To enhance user safety, advisories are disclosed 30 days after the release of a fix.
For detailed information on Rocket.Chat’s vulnerabilities and assigned CVEs, see the Rocket.Chat CVE list.
Security Advisories 2024
CVE | Description | Affected versions | Fixed versions |
---|---|---|---|
CVE-2024-46934 | DOM-based Cross-site Scripting (XSS) may allow users to abuse the | Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8 | 6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9 |
CVE-2024-46935 | Maliciously crafted messages can exploit vulnerabilities in the message parser, potentially causing it to enter an infinite loop and crash the server, resulting in a Denial of Service (DoS) attack. | Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8 | 6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9 |
CVE-2024-46936 | The | Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8 | 6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9 |
CVE-2024-47048 | Stored Cross-Site Scripting (XSS) affects apps’ description and release notes in Rocket.Chat’s marketplace. | Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8 | 6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9 |
Security Advisories 2023
ID | Severity | Details | Affected versions | Fixed versions |
---|---|---|---|---|
RCSA-2023-0001 | Medium | Fixed an Insecure Direct Object Reference (IDOR) issue where a user could access any attachment if they have the correct link. | <=6.3.12,<=6.4.8,<=6.5.0 | 6.3.13,6.4.9,6.5.1 |
RCSA-2023-0002 | Low | Fixed an issue where a user could cause Denial of Service (DOS) if they request a very large user or room avatar. | <=6.3.12,<=6.4.8,<=6.5.0 | 6.3.13,6.4.9,6.5.1 |
RCSA-2023-0003 | High | Fixed an issue where a user could brute-force the email OTP code. | <=6.3.12,<=6.4.8,<=6.5.0 | 6.3.13,6.4.9,6.5.1 |
RCSA-2023-0004 | Medium | Fixed an issue where a user could bypass the rate-limiter protection by modifying the | <=6.3.12,<=6.4.8,<=6.5.0 | 6.3.13,6.4.9,6.5.1 |
RCSA-2023-0005 | High | Fixed an issue where an authenticated user could access all Oauth app details by knowing the application ID. | <=6.3.12,<=6.4.8,<=6.5.0 | 6.3.13,6.4.9,6.5.1 |
Security Advisories 2022
Dear customers,
Recently, our security team received a report from an external researcher related to some vulnerabilities. As soon as we received it, we took some actions to fix the vulnerabilities and applied the patches for version 3.18.x, 4.4.x, and 4.7.x
All our cloud instances are already upgraded to this version, and our incident response team guarantees that we didn't have any incidents related to this vulnerability. We ask all our customers to upgrade the instances to versions 3.18.7, 4.4.5, and 4.7.4 to avoid security breaches.
We will keep you updated about any news regarding this vulnerability, and we will soon release CVE-2022-32211.
For further information, check Rocket.Chat : Security vulnerabilities
We want to thank Ghaem Arasteh for the report.
Best regards,
Rocket.Chat security team