CVE-2022-35246: Information Disclosure (CWE-200) in Rocket.Chat
A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.
AI Analysis
Technical Summary
CVE-2022-35246 is an information disclosure vulnerability classified under CWE-200 affecting Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0. The flaw exists in the getS3FileUrl Meteor server method, which is responsible for retrieving URLs for files uploaded to Amazon S3 storage. Due to a NoSQL injection vulnerability, an attacker with limited privileges (requiring some level of authentication but no user interaction) can manipulate the query parameters to disclose arbitrary file upload URLs. This means unauthorized users could gain access to URLs pointing to files they should not be able to view, potentially exposing sensitive information stored within the Rocket.Chat environment. The vulnerability does not allow modification or deletion of data, nor does it impact system availability, but it compromises confidentiality by leaking file URLs. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the network attack vector, low complexity, and limited privileges required, but only partial confidentiality impact and no integrity or availability impact. No known exploits have been reported in the wild, and patches fixing the issue were released in versions 4.7.5, 4.8.2, and 5.0 and later.
Potential Impact
For European organizations using vulnerable versions of Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of sensitive files stored in their chat environment. Given Rocket.Chat's use as a collaboration and communication platform, leaked file URLs could expose confidential business documents, personal data, or intellectual property. This could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. The impact is particularly significant for sectors handling sensitive data such as finance, healthcare, legal, and government agencies. While the vulnerability does not allow data modification or system disruption, the confidentiality breach alone can have serious consequences. Since exploitation requires some level of authenticated access, insider threats or compromised user accounts could be leveraged to exploit this vulnerability. Organizations relying on Rocket.Chat for internal communications should be aware that attackers could use this flaw to escalate information gathering and plan further attacks.
Mitigation Recommendations
European organizations should immediately verify their Rocket.Chat version and upgrade to at least version 4.7.5, 4.8.2, or 5.0 where the vulnerability is patched. In addition to patching, organizations should implement strict access controls and monitor user activities to detect anomalous queries to the getS3FileUrl method. Employing network segmentation to isolate Rocket.Chat servers and restricting access to trusted users can reduce exposure. Reviewing and tightening permissions for file uploads and downloads within Rocket.Chat can limit the scope of data accessible to users. Implementing logging and alerting on unusual file URL retrieval patterns can help detect exploitation attempts. Organizations should also conduct regular security audits and penetration testing focused on NoSQL injection vectors within their Meteor applications. Finally, educating users about the risks of credential compromise and enforcing strong authentication mechanisms (e.g., MFA) will reduce the risk of exploitation by unauthorized users.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium
CVE-2022-35246: Information Disclosure (CWE-200) in Rocket.Chat
Description
A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.
AI-Powered Analysis
Technical Analysis
CVE-2022-35246 is an information disclosure vulnerability classified under CWE-200 affecting Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0. The flaw exists in the getS3FileUrl Meteor server method, which is responsible for retrieving URLs for files uploaded to Amazon S3 storage. Due to a NoSQL injection vulnerability, an attacker with limited privileges (requiring some level of authentication but no user interaction) can manipulate the query parameters to disclose arbitrary file upload URLs. This means unauthorized users could gain access to URLs pointing to files they should not be able to view, potentially exposing sensitive information stored within the Rocket.Chat environment. The vulnerability does not allow modification or deletion of data, nor does it impact system availability, but it compromises confidentiality by leaking file URLs. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the network attack vector, low complexity, and limited privileges required, but only partial confidentiality impact and no integrity or availability impact. No known exploits have been reported in the wild, and patches fixing the issue were released in versions 4.7.5, 4.8.2, and 5.0 and later.
Potential Impact
For European organizations using vulnerable versions of Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of sensitive files stored in their chat environment. Given Rocket.Chat's use as a collaboration and communication platform, leaked file URLs could expose confidential business documents, personal data, or intellectual property. This could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. The impact is particularly significant for sectors handling sensitive data such as finance, healthcare, legal, and government agencies. While the vulnerability does not allow data modification or system disruption, the confidentiality breach alone can have serious consequences. Since exploitation requires some level of authenticated access, insider threats or compromised user accounts could be leveraged to exploit this vulnerability. Organizations relying on Rocket.Chat for internal communications should be aware that attackers could use this flaw to escalate information gathering and plan further attacks.
Mitigation Recommendations
European organizations should immediately verify their Rocket.Chat version and upgrade to at least version 4.7.5, 4.8.2, or 5.0 where the vulnerability is patched. In addition to patching, organizations should implement strict access controls and monitor user activities to detect anomalous queries to the getS3FileUrl method. Employing network segmentation to isolate Rocket.Chat servers and restricting access to trusted users can reduce exposure. Reviewing and tightening permissions for file uploads and downloads within Rocket.Chat can limit the scope of data accessible to users. Implementing logging and alerting on unusual file URL retrieval patterns can help detect exploitation attempts. Organizations should also conduct regular security audits and penetration testing focused on NoSQL injection vectors within their Meteor applications. Finally, educating users about the risks of credential compromise and enforcing strong authentication mechanisms (e.g., MFA) will reduce the risk of exploitation by unauthorized users.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2022-07-06T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f80630acd01a249264b4e
Added to database: 5/22/2025, 7:52:03 PM
Last enriched: 7/8/2025, 5:56:10 AM
Last updated: 8/17/2025, 9:00:51 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.