PT-2022-19483 · Unknown · Bigbluebutton

Juraj Somorovsky

Published

2022-06-01

Updated

2022-06-09

CVE-2022-29233

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions BigBlueButton versions 2.2 through 2.3.17 BigBlueButton versions 2.4-rc-1 and earlier

Description BigBlueButton is an open source web conferencing system. An attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user.

Recommendations For BigBlueButton versions 2.2 through 2.3.17, update to version 2.3.18 or later to resolve the issue. For BigBlueButton versions 2.4-rc-1 and earlier, update to version 2.4-rc-1 or later to resolve the issue.

Exploit

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

CVE-2022-29233

GHSA-3MR9-P9GW-CF33

Affected Products

Bigbluebutton

PT-2022-19483 · Unknown · Bigbluebutton

CVE-2022-29233

Weakness Enumeration

Related Identifiers

Affected Products

References · 11