Login Sign Up

CVE-2020-29594

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Rocket.Chat allows attackers to bypass SAML authentication and gain unauthorized access to user accounts. It affects Rocket.Chat instances with SAML login enabled across multiple version ranges. The high CVSS score indicates critical severity with potential for complete system compromise.

💻 Affected Systems

Products:
  • Rocket.Chat
Versions: Versions before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects instances with SAML authentication enabled. Default installations without SAML are not vulnerable.

📦 What is this software?

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, administrative access to Rocket.Chat instance, potential lateral movement to connected systems, and data exfiltration.

🟠

Likely Case

Unauthorized access to user accounts, privilege escalation, and potential data theft from the Rocket.Chat platform.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability involves SAML login mishandling, suggesting authentication bypass. No public exploit code was found in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.74.4, 1.3.4, 2.4.13, 3.7.3, 3.8.3, or 3.9.1 depending on your version track

Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/releases/tag/3.9.1

Restart Required: Yes

Instructions:

1. Identify your current Rocket.Chat version. 2. Upgrade to the patched version for your track (0.74.4, 1.3.4, 2.4.13, 3.7.3, 3.8.3, or 3.9.1). 3. Restart the Rocket.Chat service. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML login until patching is complete

Edit Rocket.Chat configuration to disable SAML authentication

🧯 If You Can't Patch

  • Implement network segmentation to isolate Rocket.Chat from critical systems
  • Enable enhanced logging and monitoring for authentication events

🔍 How to Verify

Check if Vulnerable:

Check Rocket.Chat version and verify SAML is enabled. If version is in affected range and SAML is enabled, system is vulnerable.

Check Version:

Check Rocket.Chat admin panel or run appropriate command for your deployment method

Verify Fix Applied:

Verify Rocket.Chat version is patched (0.74.4, 1.3.4, 2.4.13, 3.7.3, 3.8.3, or 3.9.1) and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Failed SAML login attempts followed by successful logins from unexpected sources
  • Multiple login attempts from single IP

Network Indicators:

  • Unusual traffic patterns to SAML endpoints
  • Authentication requests from unexpected sources

SIEM Query:

Example: 'source="rocketchat" AND (event="authentication" OR event="login") AND result="success" AND user_agent NOT IN expected_list'

📊 Metadata

CVE ID: CVE-2020-29594
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 30, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON