Information Disclosure Vulnerability in Rocket.Chat by Rocket.Chat
CVE-2022-32219

4.3MEDIUM

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 23 September 2022

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2022-32219?

An information disclosure vulnerability in Rocket.Chat versions before 4.7.5 allows any authenticated user to query the 'users.list' REST endpoint. The flaw arises from the endpoint's ability to directly utilize client-provided JSON parameters in a query, enabling users to access sensitive information, including details of other authenticated users, while excluding password hashes. This poses a significant risk to user privacy and data integrity within the platform.

Affected Version(s)

Rocket.Chat fixed in 4.7.5>

References

https://hackerone.com/reports/1140631

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2022
Vulnerability Reserved
Jun 1, 2022