CVE-2021-22911
published 2021-05-27CVE-2021-22911: A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
95.24%
99.9th percentile
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rocket.chat | rocket.chat | — | — |
| rocket.chat | rocket.chat | — | — |
| rocket.chat | rocket.chat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·The original exploit (EDB-49960) assumes MFA is enabled on the admin account; a modified version or the faster variant (EDB-50108) is needed when MFA is absent or when directly targeting the admin reset token via authenticated injection. ↗
- ·The faster exploit variant (EDB-50108) uses an authenticated NoSQL injection to retrieve the admin password reset token directly, bypassing the need for blind character-by-character enumeration of the admin token. ↗
- ·Affected versions are Rocket.Chat 3.11, 3.12, and 3.13; the exploit specifically targets the unauthenticated /api/v1/method.callAnon/* endpoints which accept NoSQL operators in JSON parameters. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fj2w-2856-965h: A improper input sanitization vulnerability exists in Rocket
ghsa_unreviewed·2022-05-24
CVE-2021-22911 [CRITICAL] CWE-20 GHSA-fj2w-2856-965h: A improper input sanitization vulnerability exists in Rocket
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
VulnCheck
Rocket.Chat server 3.11, 3.12 & 3.13 Remote Code Execution
vulncheck·2021·CVSS 9.8
CVE-2021-22911 [CRITICAL] Rocket.Chat server 3.11, 3.12 & 3.13 Remote Code Execution
Rocket.Chat server 3.11, 3.12 & 3.13 Remote Code Execution
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
Affected: rocket.chat rocket.chat
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2021-22911; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-24&host_type=src&vulnerability=cve-2021-22911; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-
No detection rules found.
Exploit-DB
Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
exploitdb·2021-07-07·CVSS 9.8
CVE-2021-22911 [CRITICAL] Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
---
# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
# Author: enox
# Date: 06-06-2021
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat 3.12.1 (2)
# CVE: CVE-2021-22911
# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat
# Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection.
#!/usr/bin/python
import requests
import string
import time
import hashlib
import json
import oathtool
import argparse
parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')
parser.add_argument('-u', help='Low priv user email [ No 2
Exploit-DB
Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)
exploitdb·2021-06-07·CVSS 9.8
CVE-2021-22911 [CRITICAL] Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)
Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)
---
# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)
# Author: enox
# Date: 06-06-2021
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat 3.12.1
# CVE: CVE-2021-22911
# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat
#!/usr/bin/python
import requests
import string
import time
import hashlib
import json
import oathtool
import argparse
parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')
parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True)
parser.add_argument('-a', help='Administrator email', required=True)
parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True)
args = parser.pars
Nuclei
Rocket.Chat <=3.13 - NoSQL Injection
nuclei·CVSS 9.8
CVE-2021-22911 [CRITICAL] Rocket.Chat <=3.13 - NoSQL Injection
Rocket.Chat <=3.13 - NoSQL Injection
Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2021-22911
info:
name: Rocket.Chat <=3.13 - NoSQL Injection
author: tess,sullo
severity: critical
description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful e
CTF
Talkative / README
ctf_writeups
Talkative / README
# Talkative Writeup
## Summary
Nmap reveals a [Jamovi](https://www.jamovi.org/) instance, a [Rocket.Chat](https://www.rocket.chat/), and a business website whose source code reveals that it is powered by [Bolt CMS](https://boltcms.io/) instance. The Jamovi instance is not password protected so we can use one of its features to execute R code and obtain a reverse shell into a Docker container. The Docker container contains a file with credentials, which can be used to login to the Bolt CMS.
Within Bolt CMS, we can use it's templating language, Twig, to trigger a reverse shell when a certain page is loaded. This gets us into another Docker container from which we can ssh to the host using the credentials we found in the Jamovi Docker container. This gives us access to the `user.txt` flag.
CTF
tryhackme-rooms / rocket
ctf_writeups·CVSS 9.8
[CRITICAL] tryhackme-rooms / rocket
# Rocket
https://tryhackme.com/room/rocket
Rated: HARD
This room is a quest, and has many steps before you find the first flag. In fact, the two flags are the final steps of this room, after a lot of work haha.
1. A scan reveals port 22 and 80. On 80 you are redirected to 'rocket.thm', which is a brochureware site. A bit of investigation reveals this to be built with Bolt CMS, which becomes important (much) later.
2. Enumerating sub-domains using ffuf, you can quickly find 'chat.rocket.thm', running an instance of rocket chat. There are a few CVEs for this, in particular CVE-2021-22911 which allows using a nosql injection to recover a password reset token. There is an exploit for this here https://www.exploit-db.com/exploits/49960, however it is slow as hell and requires a few modifica
Greynoiseio
Malicious Tag Roundup (Jun 7-18, 2021)
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Malicious Tag Roundup (Jun 7-18, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.htmlhttp://packetstormsecurity.com/files/163419/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.htmlhttps://blog.sonarsource.com/nosql-injections-in-rocket-chathttps://hackerone.com/reports/1130721http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.htmlhttp://packetstormsecurity.com/files/163419/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.htmlhttps://blog.sonarsource.com/nosql-injections-in-rocket-chathttps://hackerone.com/reports/1130721
2021-05-27
Published
Exploited in the wild