Skip to main content

CVE-2022-32220: Information Disclosure (CWE-200) in Rocket.Chat

Medium
VulnerabilityCVE-2022-32220cvecve-2022-32220cwe-200
Published: Fri Sep 23 2022 (09/23/2022, 18:28:14 UTC)
Source: CVE
Vendor/Project: n/a
Product: Rocket.Chat

Description

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

AI-Powered Analysis

AILast updated: 07/08/2025, 09:42:46 UTC

Technical Analysis

CVE-2022-32220 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0.0. Rocket.Chat is an open-source team communication platform widely used for messaging within organizations. The vulnerability arises from the getUserMentionsByChannel Meteor server method, which improperly discloses messages from private channels and direct messages. Specifically, this method fails to enforce access control checks, allowing users with limited privileges (requiring only low privileges, no user interaction) to retrieve message content from rooms they do not have permission to access. This flaw violates confidentiality principles by exposing sensitive communications to unauthorized users. The vulnerability is rated with a CVSS 3.1 base score of 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The attack vector is network-based with low attack complexity and requires privileges but no user interaction. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component without extending to other components. No known exploits in the wild have been reported as of the publication date. The issue was addressed and fixed in Rocket.Chat version 5.0.0 and later releases.

Potential Impact

For European organizations using Rocket.Chat versions prior to 5.0.0, this vulnerability poses a significant risk to the confidentiality of internal communications. Unauthorized disclosure of private channel messages and direct messages could lead to leakage of sensitive business information, intellectual property, or personal data protected under GDPR. This could result in reputational damage, regulatory penalties, and loss of trust among clients and partners. Since Rocket.Chat is often deployed in sectors requiring secure communications such as finance, healthcare, and government, the impact could be severe if exploited. The vulnerability does not affect message integrity or system availability, but the confidentiality breach alone is critical in environments handling sensitive or regulated data. The lack of known exploits reduces immediate risk, but the ease of exploitation and network accessibility means attackers could leverage this vulnerability if discovered independently.

Mitigation Recommendations

European organizations should immediately verify their Rocket.Chat version and upgrade to version 5.0.0 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, organizations should restrict access to Rocket.Chat servers to trusted networks and users, implement strict network segmentation, and monitor logs for unusual access patterns to private channels. Additionally, applying strict role-based access controls and auditing user permissions can reduce the risk of unauthorized access. Organizations should also consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious API calls related to getUserMentionsByChannel. Regular security assessments and penetration testing focusing on access control enforcement in Rocket.Chat deployments are recommended to identify any residual risks.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2022-06-01T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f41160acd01a249262002

Added to database: 5/22/2025, 3:21:58 PM

Last enriched: 7/8/2025, 9:42:46 AM

Last updated: 8/1/2025, 1:57:35 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats