CVE-2022-29233

Improper access control for breakout rooms in BigBlue Button

CVSS 4.3 MEDIUMEPSS 1.0%CWE-285

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 1.0%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

01 Jun 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

bigbluebutton · bigbluebutton

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/bigbluebutton/bigbluebutton/pull/13117 https://github.com/bigbluebutton/bigbluebutton/pull/14265 https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33