Rocket.Chat Security Fixes, Updates, and Advisories

This document provides comprehensive information on security updates, advisories, and patched vulnerabilities in Rocket.Chat products.

Security Fixes and Updates

Rocket.Chat regularly updates and addresses recently patched security issues. To report security issues, please refer to our Responsible Disclosure Policy. We value and appreciate your contributions to keeping Rocket.Chat secure.

  • New Issues: Security issues are initially listed without detailed descriptions to allow administrators and users time to update. Detailed information is provided with the next version release. For example, fixes introduced in the version x.1 will be elaborated upon in the version x.2.

  • Legacy Versions: Due to significant code differences, providing fixes for legacy versions is increasingly challenging. Therefore, we focus on maintaining and updating the most recent versions. For details on supported versions, refer to our support center.

  • Staying Informed: Stay up to date on new version updates by subscribing to our newsletters or enabling announcements in Rocket.Chat server administration settings. We recommend promptly updating to the latest version to ensure you have the newest security fixes.

Known Vulnerabilities

All identified vulnerabilities in our product are addressed by assigning a Common Vulnerabilities and Exposures (CVE) identifier. For more details, refer to our CVEs list.

Rocket.Chat Security Advisories

The Security Advisories section provides information on security vulnerabilities reported and fixed in Rocket.Chat products.

  • Disclosure Timeline: To enhance user safety, advisories are disclosed 30 days after the release of a fix.

  • For detailed information on Rocket.Chat’s vulnerabilities and assigned CVEs, see the Rocket.Chat CVE list.

Security Advisories 2024

CVE

Description

Affected versions

Fixed versions

CVE-2024-46934

DOM-based Cross-site Scripting (XSS) may allow users to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.

Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

CVE-2024-46935

Maliciously crafted messages can exploit vulnerabilities in the message parser, potentially causing it to enter an infinite loop and crash the server, resulting in a Denial of Service (DoS) attack.

Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

CVE-2024-46936

The UpdateOTRAck method could allow users to forge messages, making them appear as if they were sent by any chosen user.

Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

CVE-2024-47048

Stored Cross-Site Scripting (XSS) affects apps’ description and release notes in Rocket.Chat’s marketplace.

Versions before 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, and 6.7.8

6.12.1, 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9

Security Advisories 2023

ID

Severity

Details

Affected versions

Fixed versions

RCSA-2023-0001

Medium

Fixed an Insecure Direct Object Reference (IDOR) issue where a user could access any attachment if they have the correct link.

<=6.3.12,<=6.4.8,<=6.5.0

6.3.13,6.4.9,6.5.1

RCSA-2023-0002

Low

Fixed an issue where a user could cause Denial of Service (DOS) if they request a very large user or room avatar.

<=6.3.12,<=6.4.8,<=6.5.0

6.3.13,6.4.9,6.5.1

RCSA-2023-0003

High

Fixed an issue where a user could brute-force the email OTP code.

<=6.3.12,<=6.4.8,<=6.5.0

6.3.13,6.4.9,6.5.1

RCSA-2023-0004

Medium

Fixed an issue where a user could bypass the rate-limiter protection by modifying the User-Agent HTTP header.

<=6.3.12,<=6.4.8,<=6.5.0

6.3.13,6.4.9,6.5.1

RCSA-2023-0005

High

Fixed an issue where an authenticated user could access all Oauth app details by knowing the application ID.

<=6.3.12,<=6.4.8,<=6.5.0

6.3.13,6.4.9,6.5.1

Security Advisories 2022

Dear customers,

Recently, our security team received a report from an external researcher related to some vulnerabilities. As soon as we received it, we took some actions to fix the vulnerabilities and applied the patches for version 3.18.x, 4.4.x, and 4.7.x

All our cloud instances are already upgraded to this version, and our incident response team guarantees that we didn't have any incidents related to this vulnerability. We ask all our customers to upgrade the instances to versions 3.18.7, 4.4.5, and 4.7.4 to avoid security breaches.

We will keep you updated about any news regarding this vulnerability, and we will soon release CVE-2022-32211.

For further information, check Rocket.Chat : Security vulnerabilities

We want to thank Ghaem Arasteh for the report.

Best regards,

Rocket.Chat security team