BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
References
Link | Resource |
---|---|
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq | Patch Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:48
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 - Release Notes, Third Party Advisory | |
References | () https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq - Patch, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
07 Nov 2023, 03:44
Type | Values Removed | Values Added |
---|---|---|
Summary | BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds. |
27 Jun 2023, 15:11
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-863 |
Information
Published : 2022-12-17 01:15
Updated : 2024-11-21 06:48
NVD link : CVE-2022-23488
Mitre link : CVE-2022-23488
CVE.ORG link : CVE-2022-23488
JSON object : View
Products Affected
bigbluebutton
- bigbluebutton