CVE-2023-23917 — HIGH (8.8)

Q: How severe is CVE-2023-23917?

CVE-2023-23917 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-23917?

Check the references section above for vendor advisories and patch information. Affected products include: Rocket.Chat Rocket.Chat.

Vulnerability Description

A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Rocket.Chat	Rocket.Chat	< 5.2.0

Related Weaknesses (CWE)

CWE-77 CWE-1321

References

https://hackerone.com/reports/1631258Permissions Required
https://hackerone.com/reports/1631258Permissions Required

FAQ

What is CVE-2023-23917?

CVE-2023-23917 is a vulnerability with a CVSS score of 8.8 (HIGH). A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an ...

How severe is CVE-2023-23917?

CVE-2023-23917 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-23917?

Check the references section above for vendor advisories and patch information. Affected products include: Rocket.Chat Rocket.Chat.