Security bug in 4.0.0

luckow

https://github.com/RocketChat/Rocket.Chat/issues/23367
Let's wait for the fix. Until then we should stay with the current version 3.18.2
@girish: better stop the rollout of 4.0.0

girish

@luckow thanks for the heads up. I have stopped the roll out already but I am trying to reproduce the issue right now.

girish

OK, I can reproduce this. People can login with any password I have revoked the release. I have also left a note on the GitHub issue.

necrevistonnezr

Wow, that’s bad…

jdaviescoates

@necrevistonnezr said in Security bug in 4.0.0:

Wow, that’s bad…

Yep, it really is. I just checked my install and it'd already updated to 4.0 and I was able to login as anyone using any password.

Everyone ought to check if their installs of Rocket.Chat and revert to an earlier backup ASAP!

What I love about Cloudron was how quickly I was able to restore a backup and fix this problem all while on my phone.

And of course that we have great people like @luckow in our community who come here and tell us all about the issue in the first place! Thanks! (I wonder if this post could be highlighted somehow? This is a serious security bug)

jdaviescoates

Looks like 4.0.1 that fixes this will be ready soon

https://github.com/RocketChat/Rocket.Chat/milestone/258

girish

I have pushed the update to 4.0.1