Skip to main content

CVE-2022-35246: Information Disclosure (CWE-200) in Rocket.Chat

Medium
VulnerabilityCVE-2022-35246cvecve-2022-35246cwe-200
Published: Fri Sep 23 2022 (09/23/2022, 18:28:12 UTC)
Source: CVE
Vendor/Project: n/a
Product: Rocket.Chat

Description

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.

AI-Powered Analysis

AILast updated: 07/08/2025, 05:56:10 UTC

Technical Analysis

CVE-2022-35246 is an information disclosure vulnerability classified under CWE-200 affecting Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0. The flaw exists in the getS3FileUrl Meteor server method, which is responsible for retrieving URLs for files uploaded to Amazon S3 storage. Due to a NoSQL injection vulnerability, an attacker with limited privileges (requiring some level of authentication but no user interaction) can manipulate the query parameters to disclose arbitrary file upload URLs. This means unauthorized users could gain access to URLs pointing to files they should not be able to view, potentially exposing sensitive information stored within the Rocket.Chat environment. The vulnerability does not allow modification or deletion of data, nor does it impact system availability, but it compromises confidentiality by leaking file URLs. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the network attack vector, low complexity, and limited privileges required, but only partial confidentiality impact and no integrity or availability impact. No known exploits have been reported in the wild, and patches fixing the issue were released in versions 4.7.5, 4.8.2, and 5.0 and later.

Potential Impact

For European organizations using vulnerable versions of Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of sensitive files stored in their chat environment. Given Rocket.Chat's use as a collaboration and communication platform, leaked file URLs could expose confidential business documents, personal data, or intellectual property. This could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. The impact is particularly significant for sectors handling sensitive data such as finance, healthcare, legal, and government agencies. While the vulnerability does not allow data modification or system disruption, the confidentiality breach alone can have serious consequences. Since exploitation requires some level of authenticated access, insider threats or compromised user accounts could be leveraged to exploit this vulnerability. Organizations relying on Rocket.Chat for internal communications should be aware that attackers could use this flaw to escalate information gathering and plan further attacks.

Mitigation Recommendations

European organizations should immediately verify their Rocket.Chat version and upgrade to at least version 4.7.5, 4.8.2, or 5.0 where the vulnerability is patched. In addition to patching, organizations should implement strict access controls and monitor user activities to detect anomalous queries to the getS3FileUrl method. Employing network segmentation to isolate Rocket.Chat servers and restricting access to trusted users can reduce exposure. Reviewing and tightening permissions for file uploads and downloads within Rocket.Chat can limit the scope of data accessible to users. Implementing logging and alerting on unusual file URL retrieval patterns can help detect exploitation attempts. Organizations should also conduct regular security audits and penetration testing focused on NoSQL injection vectors within their Meteor applications. Finally, educating users about the risks of credential compromise and enforcing strong authentication mechanisms (e.g., MFA) will reduce the risk of exploitation by unauthorized users.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2022-07-06T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f80630acd01a249264b4e

Added to database: 5/22/2025, 7:52:03 PM

Last enriched: 7/8/2025, 5:56:10 AM

Last updated: 7/31/2025, 6:05:04 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats