CVE-2022-23488

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*

History

21 Nov 2024, 06:48

Type Values Removed Values Added
References () https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 - Release Notes, Third Party Advisory () https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 - Release Notes, Third Party Advisory
References () https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq - Patch, Third Party Advisory () https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 6.5

07 Nov 2023, 03:44

Type Values Removed Values Added
Summary BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds. BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.

27 Jun 2023, 15:11

Type Values Removed Values Added
CWE CWE-668 CWE-863

Information

Published : 2022-12-17 01:15

Updated : 2024-11-21 06:48


NVD link : CVE-2022-23488

Mitre link : CVE-2022-23488

CVE.ORG link : CVE-2022-23488


JSON object : View

Products Affected

bigbluebutton

  • bigbluebutton
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-201

Insertion of Sensitive Information Into Sent Data

CWE-863

Incorrect Authorization