Lucene search

[email protected]CVE-2024-38518

HistoryJun 28, 2024 - 9:15 p.m.

CVE-2024-38518

2024-06-2821:15:03

CWE-284

[email protected]

web.nvd.nist.gov

bigbluebutton

virtual classroom

api

vulnerability

patched

additional parameters

moderator role

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

4.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be “role=moderator”, allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

Affected configurations

Vulners

Node

bigbluebuttonbigbluebuttonRange<2.6.18

bigbluebuttonbigbluebuttonRange2.7.0–2.7.8

bigbluebuttonbigbluebuttonRange2.8.0–3.0.0-alpha.7

CNA Affected

[
  {
    "vendor": "bigbluebutton",
    "product": "bigbluebutton",
    "versions": [
      {
        "version": "< 2.6.18",
        "status": "affected"
      },
      {
        "version": ">= 2.7.0, < 2.7.8",
        "status": "affected"
      },
      {
        "version": ">= 2.8.0, < 3.0.0-alpha.7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1

github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72

github.com/bigbluebutton/bigbluebutton/pull/20279

github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4