← voltar
CVE-2022-29234

Grace period for lock settings in public/private chats in BigBlueButton

CVSS 4.3 MEDIUMEPSS 0.8%CWE-285
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.3EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
01 jun 2022Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Produtos afetados
bigbluebutton · bigbluebutton

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/bigbluebutton/bigbluebutton/pull/13850https://github.com/bigbluebutton/bigbluebutton/pull/14265https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv