Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Rocket.Chat
  3. Security bug in 4.0.0

Security bug in 4.0.0

Scheduled Pinned Locked Moved Rocket.Chat
7 Posts 4 Posters 1.2k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • luckowL Offline
    luckowL Offline
    luckow
    translator
    wrote on last edited by
    #1

    https://github.com/RocketChat/Rocket.Chat/issues/23367
    Let's wait for the fix. Until then we should stay with the current version 3.18.2
    @girish: better stop the rollout of 4.0.0

    Pronouns: he/him | Primary language: German

    girishG 1 Reply Last reply
    4
    • luckowL luckow

      https://github.com/RocketChat/Rocket.Chat/issues/23367
      Let's wait for the fix. Until then we should stay with the current version 3.18.2
      @girish: better stop the rollout of 4.0.0

      girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #2

      @luckow thanks for the heads up. I have stopped the roll out already but I am trying to reproduce the issue right now.

      1 Reply Last reply
      1
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by girish
        #3

        OK, I can reproduce this. People can login with any password đŸ˜• I have revoked the release. I have also left a note on the GitHub issue.

        1 Reply Last reply
        2
        • necrevistonnezrN Offline
          necrevistonnezrN Offline
          necrevistonnezr
          wrote on last edited by
          #4

          Wow, that’s bad…

          jdaviescoatesJ 1 Reply Last reply
          1
          • necrevistonnezrN necrevistonnezr

            Wow, that’s bad…

            jdaviescoatesJ Offline
            jdaviescoatesJ Offline
            jdaviescoates
            wrote on last edited by
            #5

            @necrevistonnezr said in Security bug in 4.0.0:

            Wow, that’s bad…

            Yep, it really is. I just checked my install and it'd already updated to 4.0 and I was able to login as anyone using any password.

            Everyone ought to check if their installs of Rocket.Chat and revert to an earlier backup ASAP!

            What I love about Cloudron was how quickly I was able to restore a backup and fix this problem all while on my phone.

            And of course that we have great people like @luckow in our community who come here and tell us all about the issue in the first place! Thanks! (I wonder if this post could be highlighted somehow? This is a serious security bug)

            I use Cloudron with Gandi & Hetzner

            jdaviescoatesJ 1 Reply Last reply
            3
            • jdaviescoatesJ jdaviescoates

              @necrevistonnezr said in Security bug in 4.0.0:

              Wow, that’s bad…

              Yep, it really is. I just checked my install and it'd already updated to 4.0 and I was able to login as anyone using any password.

              Everyone ought to check if their installs of Rocket.Chat and revert to an earlier backup ASAP!

              What I love about Cloudron was how quickly I was able to restore a backup and fix this problem all while on my phone.

              And of course that we have great people like @luckow in our community who come here and tell us all about the issue in the first place! Thanks! (I wonder if this post could be highlighted somehow? This is a serious security bug)

              jdaviescoatesJ Offline
              jdaviescoatesJ Offline
              jdaviescoates
              wrote on last edited by
              #6

              Looks like 4.0.1 that fixes this will be ready soon

              https://github.com/RocketChat/Rocket.Chat/milestone/258

              I use Cloudron with Gandi & Hetzner

              1 Reply Last reply
              2
              • girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #7

                I have pushed the update to 4.0.1

                1 Reply Last reply
                2
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                • Login

                • Don't have an account? Register

                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Bookmarks
                • Search