CVE-2022-32218
23.09.2022, 19:15
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.Enginsight
| Vendor | Product | Version |
|---|---|---|
| rocket.chat | rocket.chat | 𝑥 < 4.7.5 |
| rocket.chat | rocket.chat | 4.8.0 ≤ 𝑥 < 4.8.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.