CVE-2024-39713
published 2024-08-05CVE-2024-39713: A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
PriorityP276high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.20%
86.5th percentile
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rocket.chat | rocket.chat | < 6.10.1 | 6.10.1 |
| rocket.chat | rocket.chat | >= 0 < 6.10.1 | 6.10.1 |
| rocket.chat | rocket.chat | >= 6.10.1 < 6.10.1 | 6.10.1 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
POST request to /api/v1/livechat/sms-incoming/twilio with MediaUrl0 field pointing to external host
- →Monitor for unauthenticated POST requests to the Twilio webhook endpoint /api/v1/livechat/sms-incoming/twilio containing a 'MediaUrl0' field with an external or internal URL — this is the SSRF trigger vector. ↗
- →The exploit payload uses JSON body with 'NumMedia' >= 1 and 'MediaUrl0' set to an attacker-controlled URL; alert on outbound HTTP requests originating from the Rocket.Chat server process to unexpected hosts following such inbound requests. ↗
- →Successful exploitation returns a response with Content-Type: text/xml; use this as a secondary detection signal when combined with a POST to the Twilio endpoint. ↗
- →DNS interaction (OOB callback) is expected as part of exploitation; monitor DNS logs for queries originating from the Rocket.Chat server to external resolvers shortly after a POST to the Twilio webhook endpoint. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed Rocket.Chat instances: Shodan 'http.title:"rocket.chat"', FOFA 'title="rocket.chat"', Google 'intitle:"rocket.chat"'. ↗
- ·The vulnerability affects Rocket.Chat versions before 6.10.1 only; instances already patched to 6.10.1 or later are not affected. ↗
- ·The endpoint /api/v1/livechat/sms-incoming/twilio is unauthenticated, meaning no credentials are required to trigger the SSRF — no authentication bypass is needed in the attack chain. ↗
- ·The SSRF is triggered via the 'MediaUrl0' (and potentially MediaUrl1..N) JSON field; the server fetches the supplied URL server-side, enabling access to internal network resources. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rocket.Chat Server-Side Request Forgery (SSRF) vulnerability
osv·2024-08-05
CVE-2024-39713 [HIGH] Rocket.Chat Server-Side Request Forgery (SSRF) vulnerability
Rocket.Chat Server-Side Request Forgery (SSRF) vulnerability
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
GHSA
Rocket.Chat Server-Side Request Forgery (SSRF) vulnerability
ghsa·2024-08-05
CVE-2024-39713 [HIGH] CWE-918 Rocket.Chat Server-Side Request Forgery (SSRF) vulnerability
Rocket.Chat Server-Side Request Forgery (SSRF) vulnerability
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
VulnCheck
rocket.chat rocket.chat Server-Side Request Forgery (SSRF)
vulncheck·2024·CVSS 8.6
CVE-2024-39713 [HIGH] rocket.chat rocket.chat Server-Side Request Forgery (SSRF)
rocket.chat rocket.chat Server-Side Request Forgery (SSRF)
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
Affected: rocket.chat rocket.chat
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-07&host_type=src&vulnerability=cve-2024-39713; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-25&host_type=src&vulnerability=cve-2024-39713; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-26&host_type=src&vulnerability=cve-2024-39713; https://dashboard
No detection rules found.
Nuclei
Rocket.Chat - Server-Side Request Forgery (SSRF)
nuclei·CVSS 8.6
CVE-2024-39713 [HIGH] Rocket.Chat - Server-Side Request Forgery (SSRF)
Rocket.Chat - Server-Side Request Forgery (SSRF)
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
Template:
id: CVE-2024-39713
info:
name: Rocket.Chat - Server-Side Request Forgery (SSRF)
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
impact: |
Unauthenticated attackers can force the server to make arbitrary requests, potentially accessing internal services.
remediation: |
Update Rocket.Chat to version 6.10.1 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39713
- https://hackerone.com/reports/1886954
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3
2024-08-05
Published
Exploited in the wild