CVE-2021-22910 – A NoSQL injection vulnerability in Rocket.Chat ... (How to Fix)

Q: How do I fix CVE-2021-22910?

1. Backup your Rocket.Chat instance. 2. Update to version 3.13.2, 3.12.4, or 3.11.4 using your package manager or deployment method. 3. Restart the Rocket.Chat service. 4. Verify the update was successful.

Q: What is the severity of CVE-2021-22910?

CVE-2021-22910 has a CVSS score of 9.8 (CRITICAL). A NoSQL injection vulnerability in Rocket.Chat server allows attackers to execute arbitrary database queries through a specific endpoint. This can lead to remote code execution (RCE) by manipulating query parameters. Affects Rocket.Chat servers running vulnerable versions without proper input sanitization.

📋 TL;DR

A NoSQL injection vulnerability in Rocket.Chat server allows attackers to execute arbitrary database queries through a specific endpoint. This can lead to remote code execution (RCE) by manipulating query parameters. Affects Rocket.Chat servers running vulnerable versions without proper input sanitization.

💻 Affected Systems

Products:

Rocket.Chat

Versions: Versions <3.13.2, <3.12.4, <3.11.4

Operating Systems: All platforms running Rocket.Chat

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Rocket.Chat deployments regardless of configuration. The vulnerable endpoint is part of core functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential RCE depending on server configuration.

🟢

If Mitigated

Limited impact with proper input validation and network segmentation, potentially only data exposure.

🌐 Internet-Facing: HIGH - Rocket.Chat servers are typically internet-facing collaboration platforms.

🏢 Internal Only: MEDIUM - Internal servers still vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires some technical knowledge but detailed public analysis exists. Authentication is typically required to reach the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.2, 3.12.4, or 3.11.4

Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/releases

Restart Required: Yes

Instructions:

1. Backup your Rocket.Chat instance. 2. Update to version 3.13.2, 3.12.4, or 3.11.4 using your package manager or deployment method. 3. Restart the Rocket.Chat service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for the vulnerable endpoint to sanitize query parameters.

Network Access Restriction

all

Restrict access to the vulnerable endpoint using network firewalls or web application firewalls.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs
Deploy a web application firewall (WAF) with NoSQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check Rocket.Chat version via admin panel or by running: node -e "console.log(require('./package.json').version)" in Rocket.Chat directory

Check Version:

node -e "console.log(require('./package.json').version)"

Verify Fix Applied:

Confirm version is 3.13.2, 3.12.4, or 3.11.4 or higher using the same command

📡 Detection & Monitoring

Log Indicators:

Unusual database queries in logs
Multiple failed authentication attempts followed by successful exploitation
Abnormal patterns in API endpoint access

Network Indicators:

Suspicious payloads in HTTP requests to Rocket.Chat endpoints
Unusual outbound connections from Rocket.Chat server

SIEM Query:

source="rocketchat" AND (http_uri="*vulnerable-endpoint*" AND http_query="*$regex*" OR http_query="*$where*")

📊 Metadata

CVE ID: CVE-2021-22910

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-75

Published: August 9, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sonarsource.com/nosql-injections-in-rocket-chat/ Third Party Advisory
https://hackerone.com/reports/1130874 Exploit,Mailing List,Third Party Advisory
https://blog.sonarsource.com/nosql-injections-in-rocket-chat/ Third Party Advisory
https://hackerone.com/reports/1130874 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22910, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Rocket.chat by Rocket.chat

Rocket.chat by Rocket.chat

Rocket.chat by Rocket.chat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

Network Access Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities