CVE-2022-32219

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 4.7.5

Description An information disclosure issue exists, allowing virtually any authenticated user to access any data, except password hashes, of any other authenticated user. This is due to the "users.list" REST endpoint processing a query parameter from JSON and executing Users.find(queryFromClientSide).

Recommendations For versions prior to 4.7.5, update to version 4.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "users.list" REST endpoint to minimize the risk of exploitation.