CVE-2024-37405 in Rocket.Chat
Summary
by MITRE • 07/12/2024
Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/12/2024
This vulnerability represents a critical information disclosure flaw in Livechat systems that stems from improper input validation and sanitization within two distinct NoSQL injection points. The vulnerability exists in the livechat:loginByToken endpoint which operates pre-authentication, and the livechat:loadHistory endpoint which handles message retrieval. Both endpoints fail to properly sanitize user-supplied input, creating opportunities for attackers to inject malicious NoSQL queries that can manipulate database operations and extract sensitive information from the system.
The technical exploitation involves crafting malicious payloads that leverage the inherent weaknesses in how the application processes user input within NoSQL database queries. When an attacker submits specially crafted data to the loginByToken endpoint, they can manipulate the authentication flow to bypass normal access controls and gain unauthorized access to the system. Subsequently, the attacker can use the compromised session to query the loadHistory endpoint, where the second injection point allows for extraction of chat messages and other sensitive data from the database. This combination creates a complete attack chain that enables unauthorized data access without requiring valid credentials.
The operational impact of this vulnerability is significant as it allows attackers to access confidential customer communications, personal information, and potentially sensitive business data stored within the Livechat system. The pre-authentication nature of the loginByToken injection means that attackers can exploit this vulnerability even before establishing legitimate user sessions, making detection more difficult. The attack requires minimal privileges and can be executed through standard web application interfaces, making it particularly dangerous for organizations that rely on Livechat for customer support and communication services. This vulnerability directly violates the principle of least privilege and can lead to data breaches that compromise customer privacy and organizational security.
Organizations should immediately implement input validation and sanitization measures across all endpoints that handle user input, particularly those interacting with NoSQL databases. The implementation of proper parameterized queries or query builders can prevent injection attacks by separating SQL commands from data. Additionally, organizations should enforce strict access controls and monitor for unusual authentication patterns or data access requests. The use of web application firewalls and intrusion detection systems can help identify and block malicious payloads attempting to exploit these vulnerabilities. Regular security testing including penetration testing and vulnerability scanning should be conducted to identify similar injection points within the application stack. This vulnerability aligns with CWE-94 which addresses code injection and CWE-20 which covers input validation issues, and maps to ATT&CK techniques such as T1190 for exploitation of vulnerabilities and T1071.004 for application layer protocol usage in network communication.