Lucene search

K
cvelistHackeroneCVELIST:CVE-2022-32228
HistorySep 23, 2022 - 6:28 p.m.

CVE-2022-32228

2022-09-2318:28:13
CWE-200
hackerone
www.cve.org
1
information disclosure
rocket.chat
mongodb
$regex
vulnerability

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

24.8%

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs.

CNA Affected

[
  {
    "product": "Rocket.Chat",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in versions 4.7.5, 4.8.2 and 5.0.0"
      }
    ]
  }
]

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

24.8%

Related for CVELIST:CVE-2022-32228