CVE-2022-32226

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 5 Rocket.Chat versions prior to 4.8.2 Rocket.Chat versions prior to 4.7.5

Description An improper access control issue exists due to insufficient input validation in the getUsersOfRoom Meteor server method. This allows MongoDB query operator objects to be accepted, enabling the execution of a $regex query instead of a matching rid String. As a result, the room access permission check can be bypassed for all but the first matching room. This could potentially allow a remote attacker to disclose protected information.

Recommendations For Rocket.Chat versions prior to 5, update to version 5 or later to resolve the issue. For Rocket.Chat versions prior to 4.8.2, update to version 4.8.2 or later to resolve the issue. For Rocket.Chat versions prior to 4.7.5, update to version 4.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the getUsersOfRoom Meteor server method until a patch is available.