OpenCVE

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rocket.chat	Rocket.chat

Configuration 1 [-]

OR	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::

No data.

References

Link	Providers
https://hackerone.com/reports/1406953

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-09-23T18:28:13

Updated: 2024-08-03T07:32:56.014Z

Reserved: 2022-06-01T00:00:00

Link: CVE-2022-32218

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-23T19:15:11.670

Modified: 2024-11-21T07:05:56.823

Link: CVE-2022-32218

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Rocket.chat", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 4.7.5, 4.8.2 and 5.0>"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Information Disclosure (CWE-200)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-23T18:28:13", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1406953"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2022-32218", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rocket.chat", "version": {"version_data": [{"version_value": "Fixed in 4.7.5, 4.8.2 and 5.0>"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure (CWE-200)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1406953", "refsource": "MISC", "url": "https://hackerone.com/reports/1406953"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:32:56.014Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1406953"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2022-32218", "datePublished": "2022-09-23T18:28:13", "dateReserved": "2022-06-01T00:00:00", "dateUpdated": "2024-08-03T07:32:56.014Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3155E31-438F-4694-88C7-4D6C91C86C1D", "versionEndExcluding": "4.7.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C7BCD8A-EF54-4DFB-9DBA-FED38DB78789", "versionEndExcluding": "4.8.2", "versionStartIncluding": "4.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Rocket.Chat versiones anteriores a v5, versiones anteriores a v4.8.2 y versiones anteriores a v4.7.5, debido a que fue encontrado que el m\u00e9todo actionLinkHandler permite la Enumeraci\u00f3n de ID de mensajes con consultas Regex MongoDB."}], "id": "CVE-2022-32218", "lastModified": "2024-11-21T07:05:56.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-23T19:15:11.670", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://hackerone.com/reports/1406953"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://hackerone.com/reports/1406953"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}