PT-2023-28990 · Unknown · Bigbluebutton

Devme4Ff

Publicado

2023-10-30

Atualizado

2023-11-08

CVE-2023-43798

CVSS v3.1

5.6

Média

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.6.12 BigBlueButton versions prior to 2.7.0-rc.1

Description The issue is related to Server-Side Request Forgery (SSRF), which is a bypass of a previously known problem. A patch was applied to disable follow redirect at httpclient.execute since the software no longer has to follow it when using finalUrl. There are no known workarounds for this issue.

Recommendations For BigBlueButton versions prior to 2.6.12, upgrade to version 2.6.12 or later. For BigBlueButton versions prior to 2.7.0-rc.1, upgrade to version 2.7.0-rc.1 or later.

Exploit

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-918

Identificadores relacionados

CVE-2023-43798

GHSA-3Q22-HPH2-CFF7

GHSA-H98V-2H8W-99C4

Produtos afetados

Bigbluebutton

PT-2023-28990 · Unknown · Bigbluebutton

CVE-2023-43798

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8