Skip to main content

CVE-2022-35247: Information Disclosure (CWE-200) in Rocket.Chat

Medium
VulnerabilityCVE-2022-35247cvecve-2022-35247cwe-200
Published: Fri Sep 23 2022 (09/23/2022, 18:28:13 UTC)
Source: CVE
Vendor/Project: n/a
Product: Rocket.Chat

Description

A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients.

AI-Powered Analysis

AILast updated: 07/08/2025, 08:42:15 UTC

Technical Analysis

CVE-2022-35247 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0.0. The root cause of this vulnerability lies in the lack of proper Access Control List (ACL) checks within the getRoomRoles Meteor method. This method is responsible for retrieving the roles assigned to members within a chat channel (room). Due to insufficient authorization validation, unauthorized clients can invoke this method and obtain information about channel members who hold special roles, such as administrators or moderators. This leakage of role membership information constitutes a breach of confidentiality, as it exposes sensitive internal structure details of communication channels that should be restricted. The vulnerability is classified under CWE-200 (Information Exposure) and has a CVSS v3.1 base score of 4.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. There are no known exploits in the wild as of the publication date, and patches have been released in the specified fixed versions. This vulnerability primarily affects organizations using self-hosted or cloud instances of Rocket.Chat versions before the fixed releases. Attackers exploiting this flaw can map out privileged users within channels, potentially facilitating targeted social engineering or further attacks leveraging insider knowledge.

Potential Impact

For European organizations, the impact of CVE-2022-35247 is primarily related to confidentiality breaches within internal communication platforms. Rocket.Chat is widely used as an open-source team collaboration tool, often deployed in sectors requiring secure communication such as government agencies, healthcare, finance, and critical infrastructure. Disclosure of privileged user roles can aid attackers in identifying high-value targets for phishing, spear-phishing, or insider threat exploitation. Although this vulnerability does not directly compromise message content or system integrity, the leakage of role information can weaken organizational security postures by revealing administrative hierarchies and trusted users. This is particularly sensitive in regulated environments under GDPR, where unauthorized disclosure of user-related information can lead to compliance issues and reputational damage. The medium CVSS score reflects that while the vulnerability is not critical, it still poses a meaningful risk that should be addressed promptly to maintain confidentiality and trust in internal communications.

Mitigation Recommendations

To mitigate this vulnerability, organizations should immediately upgrade Rocket.Chat instances to versions 4.7.5, 4.8.2, 5.0.0 or later, where the ACL checks in the getRoomRoles method have been properly implemented. Beyond patching, administrators should audit user permissions and roles to ensure the principle of least privilege is enforced, minimizing the number of users with elevated roles. Network segmentation and firewall rules should restrict access to Rocket.Chat administrative APIs to trusted internal networks or VPNs. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), can reduce the risk of unauthorized access to Rocket.Chat instances. Additionally, monitoring and logging access to role-related API endpoints can help detect suspicious activity indicative of exploitation attempts. Regular security assessments and penetration testing focused on access control mechanisms within collaboration platforms are recommended to proactively identify similar weaknesses.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2022-07-06T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f67ff0acd01a2492645a2

Added to database: 5/22/2025, 6:07:59 PM

Last enriched: 7/8/2025, 8:42:15 AM

Last updated: 8/12/2025, 6:54:41 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats