Vulnerability in Rocket.chat Server
CVE-2021-22911
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
EPSS: 0.923 (99.7th percentile) — read the EPSS interpretation.
Affected products
- N/a Rocket.chat Server — versions Fixed in: 3.13.2, 3.12.4, 3.11.4
Weakness classification (CWE)
Public proof-of-concept exploits
- CsEnox/CVE-2021-22911
- optionalCTF/Rocket.Chat-Automated-Account-Takeover-RCE-CVE-2021-22911
- Faridi-m/CVE-2021-22911-RocketChat
- roshanrajbanshi/rocketcat-cve-2021-22911-exploit
- TeneBrae93/RocketChat-NoSQLi-Chain-CVE-2021-22911
- octodi/CVE-2021-22911
- yoohhuu/Rocket-Chat-3.12.1-PoC-CVE-2021-22911-
- overgrowncarrot1/CVE-2021-22911
- MrDottt/CVE-2021-22911
- ChrisPritchard/CVE-2021-22911-rust
References
- hackerone.com/reports/1130721 (x_refsource_MISC)
- packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Ex… (x_refsource_MISC)
- packetstormsecurity.com/files/163419/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Ex… (x_refsource_MISC)
- blog.sonarsource.com/nosql-injections-in-rocket-chat (x_refsource_MISC)
Frequently asked questions
- What is CVE-2021-22911?
- CVE-2021-22911 is a vulnerability in Rocket.chat Server, classified under CWE-75. Published 2021-05-27.
- Is CVE-2021-22911 known to be exploited?
- 37 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.