What is CVE-2021-22910?

CVE-2021-22910 is a vulnerability in Rocket.chat Server, classified under CWE-75. Published 2021-08-09.

Is CVE-2021-22910 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Rocket.chat Server

CVE-2021-22910

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint which could result in a NoSQL injection, potentially leading to RCE.

EPSS: 0.018 (83.1th percentile) — read the EPSS interpretation.

Affected products

N/a Rocket.chat Server — versions Fixed versions: 3.13.2, 3.12.4, 3.11.4

Weakness classification (CWE)

CWE-75

Public proof-of-concept exploits

20142995/nuclei-templates
SeaW1nd/WebSecurity-NT213-Project
cyb3r-w0lf/nuclei-template-collection
grapitycreation/NoSQL_

References

hackerone.com/reports/1130874 (x_refsource_MISC)
blog.sonarsource.com/nosql-injections-in-rocket-chat/ (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-22910?: CVE-2021-22910 is a vulnerability in Rocket.chat Server, classified under CWE-75. Published 2021-08-09.
Is CVE-2021-22910 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.