Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Security bug in 4.0.0

    Rocket.Chat
    4
    7
    177
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckow
      luckow translator last edited by

      https://github.com/RocketChat/Rocket.Chat/issues/23367
      Let's wait for the fix. Until then we should stay with the current version 3.18.2
      @girish: better stop the rollout of 4.0.0

      Pronouns: he/him | Primary language: German

      girish 1 Reply Last reply Reply Quote 4
      • girish
        girish Staff @luckow last edited by

        @luckow thanks for the heads up. I have stopped the roll out already but I am trying to reproduce the issue right now.

        1 Reply Last reply Reply Quote 1
        • girish
          girish Staff last edited by girish

          OK, I can reproduce this. People can login with any password đŸ˜• I have revoked the release. I have also left a note on the GitHub issue.

          1 Reply Last reply Reply Quote 2
          • necrevistonnezr
            necrevistonnezr last edited by

            Wow, that’s bad…

            jdaviescoates 1 Reply Last reply Reply Quote 1
            • jdaviescoates
              jdaviescoates @necrevistonnezr last edited by

              @necrevistonnezr said in Security bug in 4.0.0:

              Wow, that’s bad…

              Yep, it really is. I just checked my install and it'd already updated to 4.0 and I was able to login as anyone using any password.

              Everyone ought to check if their installs of Rocket.Chat and revert to an earlier backup ASAP!

              What I love about Cloudron was how quickly I was able to restore a backup and fix this problem all while on my phone.

              And of course that we have great people like @luckow in our community who come here and tell us all about the issue in the first place! Thanks! (I wonder if this post could be highlighted somehow? This is a serious security bug)

              I use Cloudron with Gandi & Hetzner

              jdaviescoates 1 Reply Last reply Reply Quote 3
              • jdaviescoates
                jdaviescoates @jdaviescoates last edited by

                Looks like 4.0.1 that fixes this will be ready soon

                https://github.com/RocketChat/Rocket.Chat/milestone/258

                I use Cloudron with Gandi & Hetzner

                1 Reply Last reply Reply Quote 2
                • girish
                  girish Staff last edited by

                  I have pushed the update to 4.0.1

                  1 Reply Last reply Reply Quote 2
                  • First post
                    Last post
                  Powered by NodeBB