CVE-2023-28316 — CRITICAL (9.8)

Vulnerability Description

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. This could potentially allow an attacker to maintain access to a compromised account even after 2FA is enabled.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Rocket.Chat	Rocket.Chat	-

Related Weaknesses (CWE)

CWE-384

References

https://hackerone.com/reports/992280Third Party Advisory
https://hackerone.com/reports/992280Third Party Advisory

FAQ

What is CVE-2023-28316?

CVE-2023-28316 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. This could potentially allow...

How severe is CVE-2023-28316?

CVE-2023-28316 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-28316?

Check the references section above for vendor advisories and patch information. Affected products include: Rocket.Chat Rocket.Chat.