CVE-2022-32217 : A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due t

A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs.

Published 2022-09-23 19:15:12

Updated 2022-09-27 13:53:17

Source HackerOne

View at NVD, CVE.org

Products affected by CVE-2022-32217

Rocket.chat » Rocket.chat
Versions before (<) 4.6.4
cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.31%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 53 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Assigned by: support@hackerone.com (Secondary)
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

Assigned by: nvd@nist.gov (Primary)

https://hackerone.com/reports/1394399

HackerOne
Exploit;Issue Tracking;Third Party Advisory

Jump to