Security bug in 4.0.0
-
https://github.com/RocketChat/Rocket.Chat/issues/23367
Let's wait for the fix. Until then we should stay with the current version 3.18.2
@girish: better stop the rollout of 4.0.0Pronouns: he/him | Primary language: German
-
@luckow thanks for the heads up. I have stopped the roll out already but I am trying to reproduce the issue right now.
-
OK, I can reproduce this. People can login with any password
I have revoked the release. I have also left a note on the GitHub issue. -
Wow, that’s bad…
-
@necrevistonnezr said in Security bug in 4.0.0:
Wow, that’s bad…
Yep, it really is. I just checked my install and it'd already updated to 4.0 and I was able to login as anyone using any password.
Everyone ought to check if their installs of Rocket.Chat and revert to an earlier backup ASAP!
What I love about Cloudron was how quickly I was able to restore a backup and fix this problem all while on my phone.
And of course that we have great people like @luckow in our community who come here and tell us all about the issue in the first place! Thanks! (I wonder if this post could be highlighted somehow? This is a serious security bug)
-
Looks like 4.0.1 that fixes this will be ready soon
-
I have pushed the update to 4.0.1
