CVE-2022-35246 is an information disclosure vulnerability classified under CWE-200 affecting Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0. The flaw exists in the getS3FileUrl Meteor server method, which is responsible for retrieving URLs for files uploaded to Amazon S3 storage. Due to a NoSQL injection vulnerability, an attacker with limited privileges (requiring some level of authentication but no user interaction) can manipulate the query parameters to disclose arbitrary file upload URLs. This means unauthorized users could gain access to URLs pointing to files they should not be able to view, potentially exposing sensitive information stored within the Rocket.Chat environment. The vulnerability does not allow modification or deletion of data, nor does it impact system availability, but it compromises confidentiality by leaking file URLs. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the network attack vector, low complexity, and limited privileges required, but only partial confidentiality impact and no integrity or availability impact. No known exploits have been reported in the wild, and patches fixing the issue were released in versions 4.7.5, 4.8.2, and 5.0 and later.

For European organizations using vulnerable versions of Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of sensitive files stored in their chat environment. Given Rocket.Chat's use as a collaboration and communication platform, leaked file URLs could expose confidential business documents, personal data, or intellectual property. This could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. The impact is particularly significant for sectors handling sensitive data such as finance, healthcare, legal, and government agencies. While the vulnerability does not allow data modification or system disruption, the confidentiality breach alone can have serious consequences. Since exploitation requires some level of authenticated access, insider threats or compromised user accounts could be leveraged to exploit this vulnerability. Organizations relying on Rocket.Chat for internal communications should be aware that attackers could use this flaw to escalate information gathering and plan further attacks.

European organizations should immediately verify their Rocket.Chat version and upgrade to at least version 4.7.5, 4.8.2, or 5.0 where the vulnerability is patched. In addition to patching, organizations should implement strict access controls and monitor user activities to detect anomalous queries to the getS3FileUrl method. Employing network segmentation to isolate Rocket.Chat servers and restricting access to trusted users can reduce exposure. Reviewing and tightening permissions for file uploads and downloads within Rocket.Chat can limit the scope of data accessible to users. Implementing logging and alerting on unusual file URL retrieval patterns can help detect exploitation attempts. Organizations should also conduct regular security audits and penetration testing focused on NoSQL injection vectors within their Meteor applications. Finally, educating users about the risks of credential compromise and enforcing strong authentication mechanisms (e.g., MFA) will reduce the risk of exploitation by unauthorized users.