Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a critical vulnerability in Rocket.Chat, a communication platform. An unauthenticated attacker could exploit this by manipulating login requests to bypass authentication, potentially gaining unauthorized access to user accounts, including administrator privileges. This could lead to a full compromise of the platform.
- Unauthenticated attackers can bypass login.
- Compromise of user accounts, including admin.
- Confirm platform relevance and exposure.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can target the CAS login handler of Rocket.Chat. By sending a specially crafted request that substitutes a MongoDB query operator for a ticket string, an attacker can bypass authentication. This allows them to obtain a valid authentication token belonging to another user, potentially an administrator, leading to full instance compromise if administrative privileges are gained.
- Unauthenticated access to login handler.
- Injects NoSQL query operators.
- Full instance compromise possible.
Live Threat
Current exploitation, exposure, and threat context
When supported by the advisory, an unauthenticated attacker could bypass authentication for Rocket.Chat's CAS login by injecting MongoDB query operators. This could allow them to impersonate legitimate users, including administrators, and gain access to the complete REST and DDP surface of the platform.
- User accounts and administrative access.
- Injected operators bypass ticket checks.
- Full instance compromise is possible.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability in Rocket.Chat's CAS login handler requires action from teams managing the platform and its authentication integrations. The immediate first step is to identify all instances of the affected Rocket.Chat versions, confirm their external reachability and business criticality, and locate the specific application or platform owner responsible for remediation.
- Platform or application owners should lead.
- Verify CAS/SAML authentication reachability.
- Plan remediation based on identified risk.