CVE-2022-32219 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5. Rocket.Chat is an open-source team communication platform widely used for messaging and collaboration. The vulnerability arises from the "users.list" REST API endpoint, which accepts a query parameter in JSON format and executes a database query using Users.find(queryFromClientSide). This implementation flaw allows any authenticated user to craft arbitrary queries that can retrieve information about any other user in the system, excluding password hashes. The root cause is insufficient access control and improper sanitization of client-supplied query parameters, leading to unauthorized data exposure. Since the vulnerability requires authentication but no additional privileges or user interaction, it can be exploited by any legitimate user of the platform to access sensitive user data such as email addresses, profile details, or other personal information stored in Rocket.Chat. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its limited impact on confidentiality and no impact on integrity or availability. No known exploits have been reported in the wild, and the issue was fixed in Rocket.Chat version 4.7.5 and later.

For European organizations using Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of user information within their communication environment. Exposure of personal data could lead to privacy violations under the EU's GDPR regulations, potentially resulting in regulatory fines and reputational damage. Internal user data leakage might facilitate targeted phishing or social engineering attacks by malicious insiders or compromised accounts. Although the vulnerability does not allow password or credential theft, the exposure of user metadata can aid attackers in lateral movement or reconnaissance within the organization. The impact is more pronounced in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Since Rocket.Chat is often deployed in private cloud or on-premises environments, organizations with less frequent patch management cycles are at higher risk. The absence of known active exploitation reduces immediate threat but does not eliminate the risk of future attacks leveraging this vulnerability.

Organizations should promptly upgrade Rocket.Chat installations to version 4.7.5 or later, where this vulnerability is patched. Until upgrades can be applied, administrators should restrict access to the "users.list" endpoint by implementing additional access controls or API gateway filtering to limit query parameters or user roles that can invoke this endpoint. Monitoring and logging of API calls to detect unusual query patterns or excessive user data requests can help identify exploitation attempts. Employing network segmentation and strict authentication policies reduces the risk of compromised accounts being used to exploit this flaw. Regular security audits of Rocket.Chat configurations and user permissions are recommended to ensure least privilege principles are enforced. Additionally, organizations should review and update their incident response plans to address potential data disclosure incidents involving internal communication platforms.