PT-2022-22654 · Unknown · Rocket.Chat
Gronke
·
Published
2022-09-23
·
Updated
2022-09-26
·
CVE-2022-35247
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Rocket.chat versions prior to 5
Rocket.chat versions prior to 4.8.2
Rocket.chat versions prior to 4.7.5
Description
A information disclosure issue exists due to the lack of ACL checks in the
getRoomRoles Meteor method, which leaks channel members with special roles to unauthorized clients.Recommendations
For versions prior to 5, update to version 5 or later to resolve the issue.
For versions prior to 4.8.2, update to version 4.8.2 or later to resolve the issue.
For versions prior to 4.7.5, update to version 4.7.5 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
getRoomRoles Meteor method until a patch is available.Exploit
Fix
Missing Authorization
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rocket.Chat