CVE-2022-35247 - Vulnerability Details - OpenCVE

A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rocket.chat	Rocket.chat

Configuration 1 [-]

OR	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::

No data.

References

Link	Providers
https://hackerone.com/reports/1447440

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-09-23T18:28:13

Updated: 2024-08-03T09:29:17.508Z

Reserved: 2022-07-06T00:00:00

Link: CVE-2022-35247

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-23T19:15:13.957

Modified: 2024-11-21T07:10:58.063

Link: CVE-2022-35247

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Rocket.Chat", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in versions 4.7.5, 4.8,2 and 5.0.0>"}]}], "descriptions": [{"lang": "en", "value": "A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Information Disclosure (CWE-200)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-23T18:28:13", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1447440"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2022-35247", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rocket.Chat", "version": {"version_data": [{"version_value": "Fixed in versions 4.7.5, 4.8,2 and 5.0.0>"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure (CWE-200)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1447440", "refsource": "MISC", "url": "https://hackerone.com/reports/1447440"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:29:17.508Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1447440"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2022-35247", "datePublished": "2022-09-23T18:28:13", "dateReserved": "2022-07-06T00:00:00", "dateUpdated": "2024-08-03T09:29:17.508Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3155E31-438F-4694-88C7-4D6C91C86C1D", "versionEndExcluding": "4.7.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C7BCD8A-EF54-4DFB-9DBA-FED38DB78789", "versionEndExcluding": "4.8.2", "versionStartIncluding": "4.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Rocket.chat versiones anteriores a v5, versiones anteriores a v4.8.2 y versiones anteriores a v4.7.5 donde una falta de comprobaciones de ACL en el m\u00e9todo getRoomRoles Meteor filtra miembros del canal con roles especiales a clientes no autorizados.\n"}], "id": "CVE-2022-35247", "lastModified": "2024-11-21T07:10:58.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-23T19:15:13.957", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/1447440"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/1447440"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}