Defnull

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 3.0.21 and below **Description** BigBlueButton is an open-source virtual classroom. Following instructions in the official documentation for "Server Customization" regarding ClamAV as a presentation file scanner can leave a BigBlueButton server vulnerable to a Denial of Service. The documentation’s instructions expose ports (3310 and 7357) to the internet. A remote attacker can exploit this by sending complex or large documents to clamd, potentially wasting server resources or shutting down the clamd process. The clamd documentation warns against exposing this port. Mounting /var/bigbluebutton with write permissions into the container, as suggested in the documentation, could also pose a future risk if vulnerabilities in clamd allow file manipulation within that folder. Users are only affected if they have followed the specific instructions in the BigBlueButton documentation. **Recommendations** Versions prior to 3.0.22 should not follow the documentation instructions for "Server Customization" on Support for ClamAV as presentation file scanner. Do not expose ports 3310 and 7357 to the internet. Avoid mounting /var/bigbluebutton with write permissions into the container.

Name of the Vulnerable Software and Affected Versions: Werkzeug versions prior to 3.0.6 Description: Applications using `werkzeug.formparser.MultiPartParser` to parse `multipart/form-data` requests are vulnerable to a relatively simple but effective resource exhaustion attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Recommendations: For versions prior to 3.0.6, update to Werkzeug version 3.0.6 to fix the issue. As a temporary workaround, consider setting the `Request.max form memory size` to limit the resources used during a request. Additionally, consider setting the `Request.max content length` and resource limits provided by deployment software and platforms to limit the resources used during a request.

Name of the Vulnerable Software and Affected Versions: Starlette versions prior to 0.40.0 Description: The issue is related to how Starlette handles `multipart/form-data` parts without a `filename`, treating them as text form fields and buffering them in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields, causing Starlette to slow down significantly due to excessive memory allocations and copy operations, and consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Recommendations: For versions prior to 0.40.0, update to version 0.40.0 to fix the issue. As a temporary workaround, consider restricting the size of form fields or disabling the handling of `multipart/form-data` parts without a `filename` to minimize the risk of exploitation. Avoid using the `multipart/form-data` endpoint with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.6.18 BigBlueButton versions prior to 2.7.8 BigBlueButton versions prior to 3.0.0-alpha.7 **Description** BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters, such as `role=moderator`, allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. **Recommendations** For versions prior to 2.6.18, update to version 2.6.18 or later. For versions prior to 2.7.8, update to version 2.7.8 or later. For versions prior to 3.0.0-alpha.7, update to version 3.0.0-alpha.7 or later.