Prototype Pollution in Rocket.Chat Server by Rocket.Chat
CVE-2023-23917

8.8HIGH

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 23 February 2023

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2023-23917?

A vulnerability exists in Rocket.Chat Server versions prior to 5.2.0, allowing attackers to exploit prototype pollution, potentially leading to remote code execution (RCE) with admin privileges. Any user can set up their own server within the cloud infrastructure, effectively granting them admin access and enabling the exploitation of this vulnerability. Moreover, the attack vector may amplify the risks associated with cross-site scripting (XSS), posing additional security challenges for self-hosted environments.

Affected Version(s)

Rocket.chat Fixed Version => 5.2.0

References

https://hackerone.com/reports/1631258

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2023
Vulnerability Reserved
Jan 19, 2023