Executive Summary

This vulnerability affects Rocket.Chat versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. An unauthenticated network attacker can obtain a valid OAuth access token for any user by sending a specially crafted HTTP POST request to the /oauth/token endpoint.

The issue arises because the OAuth2 server does not validate that grant parameters are strings before using them in a MongoDB query. By substituting MongoDB query operators like {$ne: null} for parameters such as client_id, client_secret, and refresh_token, the attacker tricks the server into returning a valid access token and refresh token pair for the first user token MongoDB returns.

The attacker can iterate through the tokens using other MongoDB operators to collect access tokens for all users, including administrators, without needing any credentials or prior interaction with the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to gain unauthorized access to any user's account on Rocket.Chat, including administrator accounts.

• The attacker can impersonate users and access all API endpoints available to those users.
• If an administrator's token is compromised, the attacker gains full admin API access, including the ability to install Apps-Engine apps, which can lead to server-side code execution.
• No authentication or prior knowledge of user credentials is required, making the attack easy to perform remotely.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.

This update addresses the issue where unauthenticated attackers could obtain valid OAuth access tokens by exploiting improper validation of grant parameters.

Useful 0 Not Useful 0