CVE-2022-35247: Information Disclosure (CWE-200) in Rocket.Chat
A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients.
AI Analysis
Technical Summary
CVE-2022-35247 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0.0. The root cause of this vulnerability lies in the lack of proper Access Control List (ACL) checks within the getRoomRoles Meteor method. This method is responsible for retrieving the roles assigned to members within a chat channel (room). Due to insufficient authorization validation, unauthorized clients can invoke this method and obtain information about channel members who hold special roles, such as administrators or moderators. This leakage of role membership information constitutes a breach of confidentiality, as it exposes sensitive internal structure details of communication channels that should be restricted. The vulnerability is classified under CWE-200 (Information Exposure) and has a CVSS v3.1 base score of 4.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. There are no known exploits in the wild as of the publication date, and patches have been released in the specified fixed versions. This vulnerability primarily affects organizations using self-hosted or cloud instances of Rocket.Chat versions before the fixed releases. Attackers exploiting this flaw can map out privileged users within channels, potentially facilitating targeted social engineering or further attacks leveraging insider knowledge.
Potential Impact
For European organizations, the impact of CVE-2022-35247 is primarily related to confidentiality breaches within internal communication platforms. Rocket.Chat is widely used as an open-source team collaboration tool, often deployed in sectors requiring secure communication such as government agencies, healthcare, finance, and critical infrastructure. Disclosure of privileged user roles can aid attackers in identifying high-value targets for phishing, spear-phishing, or insider threat exploitation. Although this vulnerability does not directly compromise message content or system integrity, the leakage of role information can weaken organizational security postures by revealing administrative hierarchies and trusted users. This is particularly sensitive in regulated environments under GDPR, where unauthorized disclosure of user-related information can lead to compliance issues and reputational damage. The medium CVSS score reflects that while the vulnerability is not critical, it still poses a meaningful risk that should be addressed promptly to maintain confidentiality and trust in internal communications.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade Rocket.Chat instances to versions 4.7.5, 4.8.2, 5.0.0 or later, where the ACL checks in the getRoomRoles method have been properly implemented. Beyond patching, administrators should audit user permissions and roles to ensure the principle of least privilege is enforced, minimizing the number of users with elevated roles. Network segmentation and firewall rules should restrict access to Rocket.Chat administrative APIs to trusted internal networks or VPNs. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), can reduce the risk of unauthorized access to Rocket.Chat instances. Additionally, monitoring and logging access to role-related API endpoints can help detect suspicious activity indicative of exploitation attempts. Regular security assessments and penetration testing focused on access control mechanisms within collaboration platforms are recommended to proactively identify similar weaknesses.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2022-35247: Information Disclosure (CWE-200) in Rocket.Chat
Description
A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients.
AI-Powered Analysis
Technical Analysis
CVE-2022-35247 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0.0. The root cause of this vulnerability lies in the lack of proper Access Control List (ACL) checks within the getRoomRoles Meteor method. This method is responsible for retrieving the roles assigned to members within a chat channel (room). Due to insufficient authorization validation, unauthorized clients can invoke this method and obtain information about channel members who hold special roles, such as administrators or moderators. This leakage of role membership information constitutes a breach of confidentiality, as it exposes sensitive internal structure details of communication channels that should be restricted. The vulnerability is classified under CWE-200 (Information Exposure) and has a CVSS v3.1 base score of 4.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. There are no known exploits in the wild as of the publication date, and patches have been released in the specified fixed versions. This vulnerability primarily affects organizations using self-hosted or cloud instances of Rocket.Chat versions before the fixed releases. Attackers exploiting this flaw can map out privileged users within channels, potentially facilitating targeted social engineering or further attacks leveraging insider knowledge.
Potential Impact
For European organizations, the impact of CVE-2022-35247 is primarily related to confidentiality breaches within internal communication platforms. Rocket.Chat is widely used as an open-source team collaboration tool, often deployed in sectors requiring secure communication such as government agencies, healthcare, finance, and critical infrastructure. Disclosure of privileged user roles can aid attackers in identifying high-value targets for phishing, spear-phishing, or insider threat exploitation. Although this vulnerability does not directly compromise message content or system integrity, the leakage of role information can weaken organizational security postures by revealing administrative hierarchies and trusted users. This is particularly sensitive in regulated environments under GDPR, where unauthorized disclosure of user-related information can lead to compliance issues and reputational damage. The medium CVSS score reflects that while the vulnerability is not critical, it still poses a meaningful risk that should be addressed promptly to maintain confidentiality and trust in internal communications.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade Rocket.Chat instances to versions 4.7.5, 4.8.2, 5.0.0 or later, where the ACL checks in the getRoomRoles method have been properly implemented. Beyond patching, administrators should audit user permissions and roles to ensure the principle of least privilege is enforced, minimizing the number of users with elevated roles. Network segmentation and firewall rules should restrict access to Rocket.Chat administrative APIs to trusted internal networks or VPNs. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), can reduce the risk of unauthorized access to Rocket.Chat instances. Additionally, monitoring and logging access to role-related API endpoints can help detect suspicious activity indicative of exploitation attempts. Regular security assessments and penetration testing focused on access control mechanisms within collaboration platforms are recommended to proactively identify similar weaknesses.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2022-07-06T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f67ff0acd01a2492645a2
Added to database: 5/22/2025, 6:07:59 PM
Last enriched: 7/8/2025, 8:42:15 AM
Last updated: 8/17/2025, 3:17:27 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.