Lucene search
HistorySep 23, 2022 - 7:15 p.m.
CVE-2022-32228
rocket.chat
information disclosure
vulnerability
mongodb queries
$regex queries
message ids
CVSS3
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
0.001
Percentile
24.8%
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs.
Affected configurations
Node
rocket.chatrocket.chatRange<4.7.5
ORrocket.chatrocket.chatRange4.8.0–4.8.2
| Vendor | Product | Version | CPE |
|---|---|---|---|
| rocket.chat | rocket.chat | * | cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:* |
References
Related
cvelist
cvelist
CVE-2022-32228
2022-09-23 18:28:13
cnvd
cnvd
Rocket.Chat getReadReceipts Meteor information disclosure vulnerability
2022-09-28 00:00:00
osv
osv
CVE-2022-32228
2022-09-23 19:15:11
prion
prion
Information disclosure
2022-09-23 19:15:00
hackerone
hackerone
cve
cve
CVE-2022-32228
2022-09-23 19:15:11
CVSS3
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
0.001
Percentile
24.8%
Related for NVD:CVE-2022-32228