CVE-2024-8270

The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client). Since Rocket.Chat was not signed with the Hardened Runtime nor set to enforce Library Validation, it is vulnerable to DYLIB injection attacks, which can lead to unauthorized actions or escalation of permissions. Consequently, an attacker gains capabilities that are not permitted by default under the Sandbox and its application profile.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://pentraze.com/
https://pentraze.com/vulnerability-reports/

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-11 00:15

Updated : 2025-06-12 16:06

NVD link : CVE-2024-8270

Mitre link : CVE-2024-8270

CVE.ORG link : CVE-2024-8270

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-8270", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "41c37e40-543d-43a2-b660-2fee83ea851a", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-11T00:15:23.913", "references": [{"url": "https://pentraze.com/", "source": "41c37e40-543d-43a2-b660-2fee83ea851a"}, {"url": "https://pentraze.com/vulnerability-reports/", "source": "41c37e40-543d-43a2-b660-2fee83ea851a"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "41c37e40-543d-43a2-b660-2fee83ea851a", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client). Since Rocket.Chat was not signed with the Hardened Runtime nor set to enforce Library Validation, it is vulnerable to DYLIB injection attacks, which can lead to unauthorized actions or escalation of permissions. Consequently, an attacker gains capabilities that are not permitted by default under the Sandbox and its application profile."}, {"lang": "es", "value": "La aplicaci\u00f3n Rocket.Chat para macOS se ve afectada por una vulnerabilidad que permite eludir las pol\u00edticas de Transparencia, Consentimiento y Control (TCC), lo que permite explotar o abusar de los permisos especificados en sus autorizaciones (p. ej., micr\u00f3fono, c\u00e1mara, automatizaci\u00f3n, cliente de red). Dado que Rocket.Chat no se firm\u00f3 con el entorno de ejecuci\u00f3n reforzado ni se configur\u00f3 para aplicar la validaci\u00f3n de librer\u00edas, es vulnerable a ataques de inyecci\u00f3n DYLIB, que pueden provocar acciones no autorizadas o la escalada de permisos. En consecuencia, un atacante obtiene capacidades no permitidas por defecto en el entorno de pruebas y su perfil de aplicaci\u00f3n."}], "lastModified": "2025-06-12T16:06:20.180", "sourceIdentifier": "41c37e40-543d-43a2-b660-2fee83ea851a"}