Rocket.Chat Security Fixes, Updates, and Advisories
    • Dark
      Light
    • PDF

    Rocket.Chat Security Fixes, Updates, and Advisories

    • Dark
      Light
    • PDF

    Article summary

    This document provides comprehensive information on security updates, advisories, and patched vulnerabilities in Rocket.Chat products.

    Security Fixes and Updates

    Rocket.Chat regularly updates and addresses recently patched security issues. To report security issues, please refer to our Responsible Disclosure Policy. We value and appreciate your contributions to keeping Rocket.Chat secure.

    • New Issues: Security issues are initially listed without detailed descriptions to allow administrators and users time to update. Detailed information is provided with the next version release. For example, fixes introduced in the version x.1 will be elaborated upon in the version x.2.

    • Legacy Versions: Due to significant code differences, providing fixes for legacy versions is increasingly challenging. Therefore, we focus on maintaining and updating the most recent versions. For details on supported versions, refer to our support center.

    • Staying Informed: Stay up to date on new version updates by subscribing to our newsletters or enabling announcements in Rocket.Chat server administration settings. We recommend promptly updating to the latest version to ensure you have the newest security fixes.

    Known Vulnerabilities

    All identified vulnerabilities in our product are addressed by assigning a Common Vulnerabilities and Exposures (CVE) identifier. For more details, refer to our CVEs list.

    Rocket.Chat Security Advisories

    The Security Advisories section provides information on security vulnerabilities reported and fixed in Rocket.Chat products.

    • Disclosure Timeline: To enhance user safety, advisories are disclosed 30 days after the release of a fix.

    • For detailed information on Rocket.Chat’s vulnerabilities and assigned CVEs, see the Rocket.Chat CVE list.

    Security Advisories 2024

    CVE

    Description

    Affected versions

    Fixed versions

    CVE-2024-46934

    DOM-based Cross-site Scripting (XSS) may allow users to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.

    Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

    6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

    CVE-2024-46935

    Maliciously crafted messages can exploit vulnerabilities in the message parser, potentially causing it to enter an infinite loop and crash the server, resulting in a Denial of Service (DoS) attack.

    Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

    6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

    CVE-2024-46936

    The UpdateOTRAck method could allow users to forge messages, making them appear as if they were sent by any chosen user.

    Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

    6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

    CVE-2024-47048

    Stored Cross-Site Scripting (XSS) affects apps’ description and release notes in Rocket.Chat’s marketplace.

    Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

    6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

    Security Advisories 2023

    ID

    Severity

    Details

    Affected versions

    Fixed versions

    RCSA-2023-0001

    Medium

    Fixed an Insecure Direct Object Reference (IDOR) issue where a user could access any attachment if they have the correct link.

    <=6.3.12,<=6.4.8,<=6.5.0

    6.3.13,6.4.9,6.5.1

    RCSA-2023-0002

    Low

    Fixed an issue where a user could cause Denial of Service (DOS) if they request a very large user or room avatar.

    <=6.3.12,<=6.4.8,<=6.5.0

    6.3.13,6.4.9,6.5.1

    RCSA-2023-0003

    High

    Fixed an issue where a user could brute-force the email OTP code.

    <=6.3.12,<=6.4.8,<=6.5.0

    6.3.13,6.4.9,6.5.1

    RCSA-2023-0004

    Medium

    Fixed an issue where a user could bypass the rate-limiter protection by modifying the User-Agent HTTP header.

    <=6.3.12,<=6.4.8,<=6.5.0

    6.3.13,6.4.9,6.5.1

    RCSA-2023-0005

    High

    Fixed an issue where an authenticated user could access all Oauth app details by knowing the application ID.

    <=6.3.12,<=6.4.8,<=6.5.0

    6.3.13,6.4.9,6.5.1

    Security Advisories 2022

    Dear customers,

    Recently, our security team received a report from an external researcher related to some vulnerabilities. As soon as we received it, we took some actions to fix the vulnerabilities and applied the patches for version 3.18.x, 4.4.x, and 4.7.x

    All our cloud instances are already upgraded to this version, and our incident response team guarantees that we didn't have any incidents related to this vulnerability. We ask all our customers to upgrade the instances to versions 3.18.7, 4.4.5, and 4.7.4 to avoid security breaches.

    We will keep you updated about any news regarding this vulnerability, and we will soon release CVE-2022-32211.

    For further information, check Rocket.Chat : Security vulnerabilities

    We want to thank Ghaem Arasteh for the report.

    Best regards,

    Rocket.Chat security team


    Was this article helpful?

    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence