PT-2022-19427 · Nginx+1 · Nginx+1
Giang. Võ Quý
·
Published
2022-06-01
·
Updated
2023-07-21
·
CVE-2022-29169
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
BigBlueButton versions prior to 2.3.19
BigBlueButton versions prior to 2.4.7
BigBlueButton versions prior to 2.5.0-beta.2
Description
The issue allows for regular expression denial of service (ReDoS) attacks. An attacker can cause denial of service for the bbb-html5 service by using a specific RegularExpression. The
lookupUserAgent() function, which handles input by regexing, can be abused by providing a ReDoS payload using the SmartWatch variable.Recommendations
For versions prior to 2.3.19, consider disabling NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
For versions prior to 2.4.7, consider disabling NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
For versions prior to 2.5.0-beta.2, consider disabling NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
Exploit
Fix
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bigbluebutton
Nginx