← voltar
CVE-2022-29233

Improper access control for breakout rooms in BigBlue Button

CVSS 4.3 MEDIUMEPSS 1.0%CWE-285
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.3EPSS 1.0%KEV nãoPoC Patch
Ciclo de vida
01 jun 2022Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Produtos afetados
bigbluebutton · bigbluebutton

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/bigbluebutton/bigbluebutton/pull/13117https://github.com/bigbluebutton/bigbluebutton/pull/14265https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33