Skip to main content

CVE-2022-32229: Information Disclosure (CWE-200) in Rocket.Chat

Medium
VulnerabilityCVE-2022-32229cvecve-2022-32229cwe-200
Published: Fri Sep 23 2022 (09/23/2022, 18:28:13 UTC)
Source: CVE
Vendor/Project: n/a
Product: Rocket.Chat

Description

A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection.

AI-Powered Analysis

AILast updated: 07/08/2025, 08:40:33 UTC

Technical Analysis

CVE-2022-32229 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0. The vulnerability arises from insufficient sanitization of user inputs in the /api/v1/chat.getThreadsList API endpoint. Specifically, this flaw allows an attacker to perform a MongoDB injection attack by manipulating input parameters, which can lead to unauthorized access to private thread messages. Since Rocket.Chat uses MongoDB as its backend database, the injection enables attackers to craft malicious queries that bypass access controls and retrieve sensitive message data from private threads. The vulnerability is categorized under CWE-200 (Information Exposure) and has a CVSS 3.1 base score of 4.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. No known exploits are reported in the wild as of the publication date. The issue was addressed and fixed in Rocket.Chat version 5.0 and later. This vulnerability is significant because Rocket.Chat is widely used as an open-source team collaboration and messaging platform, often deployed in enterprise environments for internal communications. Exploitation could lead to leakage of sensitive internal communications, potentially exposing confidential business information or personal data.

Potential Impact

For European organizations, the impact of this vulnerability can be considerable, especially for those relying on Rocket.Chat for internal communications. Unauthorized disclosure of private thread messages could lead to breaches of confidentiality, exposing sensitive business strategies, personal data protected under GDPR, or other classified information. This could result in reputational damage, regulatory penalties, and loss of trust among clients and partners. Since the vulnerability requires some level of privilege (authenticated user with low privileges), insider threats or compromised accounts could be leveraged to exploit this flaw. The lack of user interaction needed for exploitation increases the risk that automated or semi-automated attacks could be conducted once an attacker has access. Given the widespread adoption of Rocket.Chat in various sectors including government, healthcare, finance, and education across Europe, the potential for sensitive data leakage is a critical concern. However, the medium severity and absence of known exploits in the wild somewhat limit the immediate risk, though organizations should not be complacent.

Mitigation Recommendations

European organizations using Rocket.Chat should prioritize upgrading to version 5.0 or later, where this vulnerability is fixed. In addition to patching, organizations should implement strict access controls and monitor user privileges to minimize the risk of exploitation by low-privilege users. Employing robust authentication mechanisms such as multi-factor authentication (MFA) can reduce the risk of account compromise. Network segmentation and monitoring of API usage can help detect anomalous queries indicative of injection attempts. Input validation and sanitization should be enforced at the application level, and security teams should review custom integrations or plugins that interact with Rocket.Chat APIs to ensure they do not introduce similar injection risks. Regular security audits and penetration testing focusing on injection vulnerabilities in collaboration platforms are recommended. Finally, organizations should have incident response plans that include procedures for handling potential data disclosures from internal communication tools.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2022-06-01T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f67ff0acd01a249264594

Added to database: 5/22/2025, 6:07:59 PM

Last enriched: 7/8/2025, 8:40:33 AM

Last updated: 8/14/2025, 10:17:00 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats