CVE-2023-33176

Name of the Vulnerable Software and Affected Versions BigBlueButton (affected versions not specified)

Description BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions, a Server-Side Request Forgery (SSRF) vulnerability exists. The insertDocument API request allows users to supply a URL from which the presentation should be downloaded, and this URL was being used without validation. An update to the followRedirect method in the PresentationUrlDownloadService has been made to validate all URLs for presentation download. Two new properties, presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts, have been added to bigbluebutton.properties to define allowed protocols and blocked hosts for presentation downloads. URLs passed to insertDocument must conform to these requirements, resolve to valid addresses, and not be local or loopback addresses.

Recommendations To resolve the issue, users are advised to upgrade to a patched version of BigBlueButton. As a temporary workaround, consider restricting access to the insertDocument API endpoint until a patch is available. Additionally, administrators can define allowed protocols and blocked hosts using the presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts properties in bigbluebutton.properties to minimize the risk of exploitation.