Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeronePaulocsanzH1:1140631
HistoryMar 29, 2021 - 9:47 p.m.

Rocket.Chat: REST API gets `query` as parameter and executes it

2021-03-2921:47:53
paulocsanz
hackerone.com
9

0.001 Low

EPSS

Percentile

25.0%

JSON

Summary: Any user with ‘view-d-room’ permission can access any (except users.services) data from the users collection

Description:

The “users.list” REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated. They can list admins and then brute-force their passwords with that information, for example. And all emails get leaked.

This report is only for one specific endpoint, but there are a lot of endpoint that have a query parameter, some attach fields to it making it “safer”, but it’s never a good idea to run queries that came from the users. This always will end-up as a security vulnerability. This is basically a SQL injection in a NOSQL database.

https://github.com/RocketChat/Rocket.Chat/blob/develop/app/api/server/v1/users.js#L232

Although contained to ‘view-d-room’, most accounts have this permission and even then, this permission does not allow for unfettered access to the entire users collection (except the password hash)

Releases Affected:

From 2.5 on.

Steps To Reproduce (from initial installation to vulnerability):

Signup to open.rocket.chat, get the X-Auth-Token and X-User-Id from storage. Fill the data in the query above, and access the list of most metadata of every admin user

curl --location -g --request GET 'xxx.rocket.chat/api/v1/users.list?query={"roles":"admin"}' \
--header 'X-Auth-Token:  xxx' \
--header 'X-Requested-With: XMLHttpRequest' \
--header 'X-User-Id: yyy'

Suggested mitigation

This endpoint needs to rethinking, why being so generic? It’s a breaking change now, but it should never been this generic. So there isn’t much hope besides breaking compatibility and making the endpoint simple, into one that does only one thing.

And other REST endpoints should be investigated too. We will do it, but it’s such a critical problem that it seems the Rocket.Chat team can explore it more too.

Impact

Any authenticated account can access virtually any data from the users collection.

Fix

We have fix this vulnerability in 4.7.5>

Related

cve 1
nvd 1
prion 1
cnvd 1
osv 1
cvelist 1
cve
cve
CVE-2022-32219
2022-09-23 19:15:11
nvd
nvd
CVE-2022-32219
2022-09-23 19:15:11
prion
prion
Information disclosure
2022-09-23 19:15:00
cnvd
cnvd
Rocket.Chat users.list information disclosure vulnerability
2022-09-28 00:00:00
osv
osv
CVE-2022-32219
2022-09-23 19:15:11
cvelist
cvelist
CVE-2022-32219
2022-09-23 18:28:14

0.001 Low

EPSS

Percentile

25.0%

JSON
Related for H1:1140631
cve1nvd1prion1cnvd1osv1cvelist1