CVE-2022-35249: Information Disclosure (CWE-200) in Rocket.Chat
A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
AI Analysis
Technical Summary
CVE-2022-35249 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0. Rocket.Chat is an open-source team collaboration platform widely used for messaging within organizations. The vulnerability exists in the Meteor server method getUserMentionsByChannel, which is intended to retrieve user mentions within a specific channel. However, due to improper access control checks, this method discloses messages from private channels and direct messages even to users who do not have permission to access those rooms. This flaw violates the confidentiality principle by exposing sensitive communication data to unauthorized users. The vulnerability is classified under CWE-200 (Information Exposure) and has a CVSS v3.1 base score of 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality only without affecting integrity or availability. There are no known exploits in the wild as of the published date, and the issue was fixed starting with Rocket.Chat version 5.0. The vulnerability arises from insufficient authorization checks in the server method, allowing authenticated users to access messages from private channels and direct messages they should not see. This could lead to leakage of sensitive organizational information, private conversations, or confidential data shared within restricted channels.
Potential Impact
For European organizations using Rocket.Chat for internal communications, this vulnerability poses a significant risk to the confidentiality of sensitive information. Private channels and direct messages often contain proprietary business data, personal employee information, or strategic communications. Unauthorized disclosure of such information could lead to reputational damage, regulatory non-compliance (especially under GDPR, which mandates protection of personal data), and potential competitive disadvantage. Since the vulnerability requires an authenticated user, the risk is primarily from insider threats or compromised accounts. However, given that many organizations use Rocket.Chat for critical communications, even limited unauthorized access can have serious consequences. The medium CVSS score reflects that while the impact is limited to confidentiality and exploitation requires some privileges, the scope of affected data can be broad within an organization. European entities in sectors such as finance, healthcare, government, and technology, where sensitive communications are common, are particularly at risk. Additionally, the lack of known exploits in the wild suggests that proactive patching can effectively mitigate this threat before exploitation becomes widespread.
Mitigation Recommendations
Organizations should immediately upgrade Rocket.Chat installations to version 5.0 or later, where this vulnerability has been addressed. Beyond patching, administrators should audit user permissions and access controls to ensure that only authorized personnel have access to private channels and direct messages. Implementing strict account management policies, including multi-factor authentication (MFA), can reduce the risk of account compromise that could lead to exploitation. Monitoring and logging access to sensitive channels can help detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should conduct regular security assessments of their collaboration platforms to identify and remediate potential misconfigurations or vulnerabilities. For environments where immediate upgrading is not feasible, restricting access to the Meteor server methods or applying custom access control rules may serve as a temporary mitigation. Finally, educating users about the importance of safeguarding credentials and recognizing suspicious activity can further reduce risk.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain
CVE-2022-35249: Information Disclosure (CWE-200) in Rocket.Chat
Description
A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
AI-Powered Analysis
Technical Analysis
CVE-2022-35249 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0. Rocket.Chat is an open-source team collaboration platform widely used for messaging within organizations. The vulnerability exists in the Meteor server method getUserMentionsByChannel, which is intended to retrieve user mentions within a specific channel. However, due to improper access control checks, this method discloses messages from private channels and direct messages even to users who do not have permission to access those rooms. This flaw violates the confidentiality principle by exposing sensitive communication data to unauthorized users. The vulnerability is classified under CWE-200 (Information Exposure) and has a CVSS v3.1 base score of 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality only without affecting integrity or availability. There are no known exploits in the wild as of the published date, and the issue was fixed starting with Rocket.Chat version 5.0. The vulnerability arises from insufficient authorization checks in the server method, allowing authenticated users to access messages from private channels and direct messages they should not see. This could lead to leakage of sensitive organizational information, private conversations, or confidential data shared within restricted channels.
Potential Impact
For European organizations using Rocket.Chat for internal communications, this vulnerability poses a significant risk to the confidentiality of sensitive information. Private channels and direct messages often contain proprietary business data, personal employee information, or strategic communications. Unauthorized disclosure of such information could lead to reputational damage, regulatory non-compliance (especially under GDPR, which mandates protection of personal data), and potential competitive disadvantage. Since the vulnerability requires an authenticated user, the risk is primarily from insider threats or compromised accounts. However, given that many organizations use Rocket.Chat for critical communications, even limited unauthorized access can have serious consequences. The medium CVSS score reflects that while the impact is limited to confidentiality and exploitation requires some privileges, the scope of affected data can be broad within an organization. European entities in sectors such as finance, healthcare, government, and technology, where sensitive communications are common, are particularly at risk. Additionally, the lack of known exploits in the wild suggests that proactive patching can effectively mitigate this threat before exploitation becomes widespread.
Mitigation Recommendations
Organizations should immediately upgrade Rocket.Chat installations to version 5.0 or later, where this vulnerability has been addressed. Beyond patching, administrators should audit user permissions and access controls to ensure that only authorized personnel have access to private channels and direct messages. Implementing strict account management policies, including multi-factor authentication (MFA), can reduce the risk of account compromise that could lead to exploitation. Monitoring and logging access to sensitive channels can help detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should conduct regular security assessments of their collaboration platforms to identify and remediate potential misconfigurations or vulnerabilities. For environments where immediate upgrading is not feasible, restricting access to the Meteor server methods or applying custom access control rules may serve as a temporary mitigation. Finally, educating users about the importance of safeguarding credentials and recognizing suspicious activity can further reduce risk.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2022-07-06T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f725b0acd01a2492647d9
Added to database: 5/22/2025, 6:52:11 PM
Last enriched: 7/8/2025, 6:13:33 AM
Last updated: 8/17/2025, 10:01:56 AM
Views: 16
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.