CVE-2020-12443

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.2.6

Description The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability. This can be leveraged for privilege escalation to access sensitive files, such as bigbluebutton.properties. The problem arises from an ineffective mitigation attempt in an NGINX configuration file, which did not account for the case-insensitive nature of the relevant NGINX component. This issue is related to a previous attempted fix that was insufficient.

Recommendations For versions prior to 2.2.6, update to version 2.2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.