CVE-2021-22886 - OpenCVE

Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Rocket.chat	Rocket.chat

Configuration 1 [-]

OR	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc0::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc1::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc2::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc3::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc4::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc5::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc6::::::
	cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc7::::::

References

Link	Resource
https://docs.rocket.chat/guides/security/security-updates	Vendor Advisory
https://github.com/RocketChat/Rocket.Chat/pull/20430	Patch Third Party Advisory
https://hackerone.com/reports/1014459	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2021-03-26T18:15:54

Updated: 2021-03-26T18:15:54

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-22886

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-26T19:15:11.913

Modified: 2021-03-30T20:26:41.133

Link: CVE-2021-22886

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Rocket.Chat ", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 3.11, 3.10.5, 3.9.7, 3.8.8"}]}], "descriptions": [{"lang": "en", "value": "Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS) - Stored (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-26T18:15:54", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.rocket.chat/guides/security/security-updates"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1014459"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/RocketChat/Rocket.Chat/pull/20430"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2021-22886", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rocket.Chat ", "version": {"version_data": [{"version_value": "Fixed in 3.11, 3.10.5, 3.9.7, 3.8.8"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "https://docs.rocket.chat/guides/security/security-updates", "refsource": "MISC", "url": "https://docs.rocket.chat/guides/security/security-updates"}, {"name": "https://hackerone.com/reports/1014459", "refsource": "MISC", "url": "https://hackerone.com/reports/1014459"}, {"name": "https://github.com/RocketChat/Rocket.Chat/pull/20430", "refsource": "MISC", "url": "https://github.com/RocketChat/Rocket.Chat/pull/20430"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2021-22886", "datePublished": "2021-03-26T18:15:54", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2021-03-26T18:15:54", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "86A30DEE-F0BD-42BD-8BE7-EAFC4EB83A94", "versionEndExcluding": "3.8.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5B4CA06-527F-4600-A11A-ABFA54D754C8", "versionEndExcluding": "3.9.7", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9EFC543-2F10-4521-9814-ABBD237364EB", "versionEndExcluding": "3.10.5", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "894B212B-12E9-49D0-9DCC-A8DA2BE98FCD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "B996994C-FEC5-4524-94F4-E8F7CD666BC7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "506868F8-3FEE-478E-BAA2-889C53A79977", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "49553F24-2CC0-48E6-BA55-4CE0283C1E6A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "C4B247DC-ECB0-4859-8F6D-6CAA2C01B57E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "B3962CCC-17F4-4F4B-AE82-A53DB5ED19A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "AA4771F7-A143-44C9-8FED-B9111C22D058", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "6CA36B0C-3A4D-44EA-BAB8-A9B2D7F672D2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app."}, {"lang": "es", "value": "Rocket.Chat versiones anteriores a 3.11, 3.10.5, 3.9.7, 3.8.8, es vulnerable a ataques de tipo cross-site scripting (XSS) persistente que usan etiquetas markdown anidadas que permiten a un atacante remoto inyectar JavaScript arbitrario en un mensaje. Este fallo conlleva a una lectura de archivos arbitraria y una RCE en la aplicaci\u00f3n de escritorio Rocket.Chat."}], "id": "CVE-2021-22886", "lastModified": "2021-03-30T20:26:41.133", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-26T19:15:11.913", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://docs.rocket.chat/guides/security/security-updates"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/RocketChat/Rocket.Chat/pull/20430"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1014459"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "support@hackerone.com", "type": "Secondary"}]}