PT-2020-16714 · Bigbluebutton+1 · Bigbluebutton+1

Published

2020-10-21

Updated

2020-10-30

CVE-2020-27604

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.3

Description The issue is related to the lack of LibreOffice sandboxing, which could allow remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With access to the API shared secret, an attacker can use the "api/join" endpoint to join an arbitrary meeting, regardless of its guestPolicy setting.

Recommendations For versions prior to 2.3, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the bigbluebutton.properties file to minimize the risk of the API shared secret being read. Avoid using the api/join endpoint with arbitrary meeting IDs until the issue is resolved.

Exploit

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116

Related Identifiers

CVE-2020-27604

Affected Products

Bigbluebutton

Libreoffice

PT-2020-16714 · Bigbluebutton+1 · Bigbluebutton+1

CVE-2020-27604

Weakness Enumeration

Related Identifiers

Affected Products

References · 4