CVE-2022-29233

Improper access control for breakout rooms in BigBlue Button

CVSS 4.3 MEDIUMEPSS 1.0%CWE-285

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.3EPSS 1.0%KEV nãoPoC —Patch —

Ciclo de vida

01 jun 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Productos afectados

bigbluebutton · bigbluebutton

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/bigbluebutton/bigbluebutton/pull/13117 https://github.com/bigbluebutton/bigbluebutton/pull/14265 https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33