CVE-2021-22911

EPSS 95.2%CWE-75

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

Affected products

n/a · Rocket.Chat server

public PoCs found — 15

githubgithub.com/CsEnox/CVE-2021-22911★ 61 githubgithub.com/optionalCTF/Rocket.Chat-Automated-Account-Takeover-RCE-CVE-2021-22911★ 9 githubgithub.com/Faridi-m/CVE-2021-22911-RocketChat★ 1 githubgithub.com/overgrowncarrot1/CVE-2021-22911★ 0 githubgithub.com/yoohhuu/Rocket-Chat-3.12.1-PoC-CVE-2021-22911-★ 0 githubgithub.com/octodi/CVE-2021-22911★ 0 githubgithub.com/TeneBrae93/RocketChat-NoSQLi-Chain-CVE-2021-22911★ 0 githubgithub.com/MrDottt/CVE-2021-22911★ 0 githubgithub.com/jayngng/CVE-2021-22911★ 0 githubgithub.com/ChrisPritchard/CVE-2021-22911-rust★ 0 githubgithub.com/roshanrajbanshi/rocketcat-cve-2021-22911-exploit★ 0 cve_referencepacketstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/49960unverified exploitdbwww.exploit-db.com/exploits/50108unverified cve_referencepacketstormsecurity.com/files/163419/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html http://packetstormsecurity.com/files/163419/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html https://blog.sonarsource.com/nosql-injections-in-rocket-chat https://hackerone.com/reports/1130721