PT-2023-28990 · Unknown · Bigbluebutton
Devme4Ff
·
Published
2023-10-30
·
Updated
2023-11-08
·
CVE-2023-43798
CVSS v3.1
5.6
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
BigBlueButton versions prior to 2.6.12
BigBlueButton versions prior to 2.7.0-rc.1
Description
The issue is related to Server-Side Request Forgery (SSRF), which is a bypass of a previously known problem. A patch was applied to disable follow redirect at
httpclient.execute since the software no longer has to follow it when using finalUrl. There are no known workarounds for this issue.Recommendations
For BigBlueButton versions prior to 2.6.12, upgrade to version 2.6.12 or later.
For BigBlueButton versions prior to 2.7.0-rc.1, upgrade to version 2.7.0-rc.1 or later.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bigbluebutton