CVE-2022-35247 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0.0. The root cause of this vulnerability lies in the lack of proper Access Control List (ACL) checks within the getRoomRoles Meteor method. This method is responsible for retrieving the roles assigned to members within a chat channel (room). Due to insufficient authorization validation, unauthorized clients can invoke this method and obtain information about channel members who hold special roles, such as administrators or moderators. This leakage of role membership information constitutes a breach of confidentiality, as it exposes sensitive internal structure details of communication channels that should be restricted. The vulnerability is classified under CWE-200 (Information Exposure) and has a CVSS v3.1 base score of 4.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. There are no known exploits in the wild as of the publication date, and patches have been released in the specified fixed versions. This vulnerability primarily affects organizations using self-hosted or cloud instances of Rocket.Chat versions before the fixed releases. Attackers exploiting this flaw can map out privileged users within channels, potentially facilitating targeted social engineering or further attacks leveraging insider knowledge.

For European organizations, the impact of CVE-2022-35247 is primarily related to confidentiality breaches within internal communication platforms. Rocket.Chat is widely used as an open-source team collaboration tool, often deployed in sectors requiring secure communication such as government agencies, healthcare, finance, and critical infrastructure. Disclosure of privileged user roles can aid attackers in identifying high-value targets for phishing, spear-phishing, or insider threat exploitation. Although this vulnerability does not directly compromise message content or system integrity, the leakage of role information can weaken organizational security postures by revealing administrative hierarchies and trusted users. This is particularly sensitive in regulated environments under GDPR, where unauthorized disclosure of user-related information can lead to compliance issues and reputational damage. The medium CVSS score reflects that while the vulnerability is not critical, it still poses a meaningful risk that should be addressed promptly to maintain confidentiality and trust in internal communications.

To mitigate this vulnerability, organizations should immediately upgrade Rocket.Chat instances to versions 4.7.5, 4.8.2, 5.0.0 or later, where the ACL checks in the getRoomRoles method have been properly implemented. Beyond patching, administrators should audit user permissions and roles to ensure the principle of least privilege is enforced, minimizing the number of users with elevated roles. Network segmentation and firewall rules should restrict access to Rocket.Chat administrative APIs to trusted internal networks or VPNs. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), can reduce the risk of unauthorized access to Rocket.Chat instances. Additionally, monitoring and logging access to role-related API endpoints can help detect suspicious activity indicative of exploitation attempts. Regular security assessments and penetration testing focused on access control mechanisms within collaboration platforms are recommended to proactively identify similar weaknesses.