Podatność CVE-2022-29233
Publikacja: 2022-06-02

Opis:
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.

Typ:

CWE-285

 (Improper Authorization)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
5/10
2.9/10
10/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Niska
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Częściowy
Brak
Brak
Affected software
Bigbluebutton -> Bigbluebutton 

 Referencje:
https://github.com/bigbluebutton/bigbluebutton/pull/14265
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33
https://github.com/bigbluebutton/bigbluebutton/pull/13117
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1
Copyright 2024, cxsecurity.com

 

Back to Top