← volver
CVE-2022-29234

Grace period for lock settings in public/private chats in BigBlueButton

CVSS 4.3 MEDIUMEPSS 0.8%CWE-285
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.3EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
01 jun 2022Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Productos afectados
bigbluebutton · bigbluebutton

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/bigbluebutton/bigbluebutton/pull/13850https://github.com/bigbluebutton/bigbluebutton/pull/14265https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv