Skip to main content

CVE-2022-32219: Information Disclosure (CWE-200) in Rocket.Chat

Medium
VulnerabilityCVE-2022-32219cvecve-2022-32219cwe-200
Published: Fri Sep 23 2022 (09/23/2022, 18:28:14 UTC)
Source: CVE
Vendor/Project: n/a
Product: Rocket.Chat

Description

An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated.

AI-Powered Analysis

AILast updated: 07/08/2025, 09:42:37 UTC

Technical Analysis

CVE-2022-32219 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5. Rocket.Chat is an open-source team communication platform widely used for messaging and collaboration. The vulnerability arises from the "users.list" REST API endpoint, which accepts a query parameter in JSON format and executes a database query using Users.find(queryFromClientSide). This implementation flaw allows any authenticated user to craft arbitrary queries that can retrieve information about any other user in the system, excluding password hashes. The root cause is insufficient access control and improper sanitization of client-supplied query parameters, leading to unauthorized data exposure. Since the vulnerability requires authentication but no additional privileges or user interaction, it can be exploited by any legitimate user of the platform to access sensitive user data such as email addresses, profile details, or other personal information stored in Rocket.Chat. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its limited impact on confidentiality and no impact on integrity or availability. No known exploits have been reported in the wild, and the issue was fixed in Rocket.Chat version 4.7.5 and later.

Potential Impact

For European organizations using Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of user information within their communication environment. Exposure of personal data could lead to privacy violations under the EU's GDPR regulations, potentially resulting in regulatory fines and reputational damage. Internal user data leakage might facilitate targeted phishing or social engineering attacks by malicious insiders or compromised accounts. Although the vulnerability does not allow password or credential theft, the exposure of user metadata can aid attackers in lateral movement or reconnaissance within the organization. The impact is more pronounced in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Since Rocket.Chat is often deployed in private cloud or on-premises environments, organizations with less frequent patch management cycles are at higher risk. The absence of known active exploitation reduces immediate threat but does not eliminate the risk of future attacks leveraging this vulnerability.

Mitigation Recommendations

Organizations should promptly upgrade Rocket.Chat installations to version 4.7.5 or later, where this vulnerability is patched. Until upgrades can be applied, administrators should restrict access to the "users.list" endpoint by implementing additional access controls or API gateway filtering to limit query parameters or user roles that can invoke this endpoint. Monitoring and logging of API calls to detect unusual query patterns or excessive user data requests can help identify exploitation attempts. Employing network segmentation and strict authentication policies reduces the risk of compromised accounts being used to exploit this flaw. Regular security audits of Rocket.Chat configurations and user permissions are recommended to ensure least privilege principles are enforced. Additionally, organizations should review and update their incident response plans to address potential data disclosure incidents involving internal communication platforms.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2022-06-01T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f41160acd01a249262000

Added to database: 5/22/2025, 3:21:58 PM

Last enriched: 7/8/2025, 9:42:37 AM

Last updated: 8/8/2025, 12:29:15 PM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats