Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Security bug in 4.0.0

Scheduled Pinned Locked Moved Rocket.Chat
7 Posts 4 Posters 199 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • luckowL Offline
    luckowL Offline
    luckow translator
    wrote on last edited by
    #1

    https://github.com/RocketChat/Rocket.Chat/issues/23367
    Let's wait for the fix. Until then we should stay with the current version 3.18.2
    @girish: better stop the rollout of 4.0.0

    Pronouns: he/him | Primary language: German

    girishG 1 Reply Last reply
    4
  • girishG Offline
    girishG Offline
    girish Staff
    replied to luckow on last edited by
    #2

    @luckow thanks for the heads up. I have stopped the roll out already but I am trying to reproduce the issue right now.

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by girish
    #3

    OK, I can reproduce this. People can login with any password đŸ˜• I have revoked the release. I have also left a note on the GitHub issue.

    1 Reply Last reply
    2
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    wrote on last edited by
    #4

    Wow, that’s bad…

    jdaviescoatesJ 1 Reply Last reply
    1
  • jdaviescoatesJ Offline
    jdaviescoatesJ Offline
    jdaviescoates
    replied to necrevistonnezr on last edited by
    #5

    @necrevistonnezr said in Security bug in 4.0.0:

    Wow, that’s bad…

    Yep, it really is. I just checked my install and it'd already updated to 4.0 and I was able to login as anyone using any password.

    Everyone ought to check if their installs of Rocket.Chat and revert to an earlier backup ASAP!

    What I love about Cloudron was how quickly I was able to restore a backup and fix this problem all while on my phone.

    And of course that we have great people like @luckow in our community who come here and tell us all about the issue in the first place! Thanks! (I wonder if this post could be highlighted somehow? This is a serious security bug)

    I use Cloudron with Gandi & Hetzner

    jdaviescoatesJ 1 Reply Last reply
    3
  • jdaviescoatesJ Offline
    jdaviescoatesJ Offline
    jdaviescoates
    replied to jdaviescoates on last edited by
    #6

    Looks like 4.0.1 that fixes this will be ready soon

    https://github.com/RocketChat/Rocket.Chat/milestone/258

    I use Cloudron with Gandi & Hetzner

    1 Reply Last reply
    2
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #7

    I have pushed the update to 4.0.1

    1 Reply Last reply
    2

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.