SQL Injection Vulnerability in Rocket.Chat Products by Rocket.Chat
CVE-2022-32211

8.8HIGH

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 23 September 2022

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2022-32211?

A SQL injection vulnerability in Rocket.Chat allows attackers to exploit poorly sanitized user inputs, potentially leading to unauthorized access. Attackers can retrieve sensitive information, such as reset password tokens or two-factor authentication (2FA) secrets, from affected versions of the software, namely those below 3.18.6, 4.4.4, and 4.7.3. Organizations using these affected versions should prioritize applying security patches to mitigate possible exploitation.

Affected Version(s)

Rocket.Chat Fixed in 3.18.6, 4.4.4 and 4.7.3>

References

https://hackerone.com/reports/1581059

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2022
Vulnerability Reserved
Jun 1, 2022