CVE-2023-23911

Published: Mar 10, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room.

Affected (1)

Products: Rocket.chat: Rocket.chat

Rocket.chat

1 product

Rocket.chat

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rocket.chat Rocket.chat	Before 6.0.0

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-326

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (2)

https://hackerone.com/reports/1757663

Source: support@hackerone.com

Issue TrackingThird Party Advisory

https://hackerone.com/reports/1757663

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.