Lucene search

GitHub_MCVE-2023-43798

HistoryOct 30, 2023 - 11:15 p.m.

CVE-2023-43798

2023-10-3023:15:08

CWE-918

GitHub_M

web.nvd.nist.gov

bigbluebutton

cve-2023-43798

virtual classroom

ssrf

security vulnerability

nvd

patch

CVSS3

5.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

37.9%

JSON

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at httpclient.execute since the software no longer has to follow it when using finalUrl. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.

Affected configurations

Nvd

Vulners

Node

bigbluebuttonbigbluebuttonRange<2.6.12

bigbluebuttonbigbluebuttonMatch2.7.0alpha1

bigbluebuttonbigbluebuttonMatch2.7.0alpha2

bigbluebuttonbigbluebuttonMatch2.7.0alpha3

bigbluebuttonbigbluebuttonMatch2.7.0beta1

bigbluebuttonbigbluebuttonMatch2.7.0beta2

bigbluebuttonbigbluebuttonMatch2.7.0beta3

VendorProductVersionCPE
bigbluebuttonbigbluebutton*cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*
bigbluebuttonbigbluebutton2.7.0cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha1:*:*:*:*:*:*
bigbluebuttonbigbluebutton2.7.0cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha2:*:*:*:*:*:*
bigbluebuttonbigbluebutton2.7.0cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha3:*:*:*:*:*:*
bigbluebuttonbigbluebutton2.7.0cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta1:*:*:*:*:*:*
bigbluebuttonbigbluebutton2.7.0cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta2:*:*:*:*:*:*
bigbluebuttonbigbluebutton2.7.0cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta3:*:*:*:*:*:*

Vendor	Product	Version	CPE
bigbluebutton	bigbluebutton	*	cpe:2.3:a:bigbluebutton:bigbluebutton::::::::
bigbluebutton	bigbluebutton	2.7.0	cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha1::::::
bigbluebutton	bigbluebutton	2.7.0	cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha2::::::
bigbluebutton	bigbluebutton	2.7.0	cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha3::::::
bigbluebutton	bigbluebutton	2.7.0	cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta1::::::
bigbluebutton	bigbluebutton	2.7.0	cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta2::::::
bigbluebutton	bigbluebutton	2.7.0	cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta3::::::

CNA Affected

[
  {
    "vendor": "bigbluebutton",
    "product": "bigbluebutton",
    "versions": [
      {
        "version": "< 2.6.12",
        "status": "affected"
      },
      {
        "version": ">= 2.7.0-alpha.1, < 2.7.0-rc.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/bigbluebutton/bigbluebutton/pull/18494

github.com/bigbluebutton/bigbluebutton/pull/18580

github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7

github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4

CVSS3

5.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

37.9%

JSON

Related for CVE-2023-43798