GitHub_MCVELIST:CVE-2023-43798CVE-2023-43798 BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass)
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
37.9%
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at httpclient.execute since the software no longer has to follow it when using finalUrl. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
CNA Affected
[
{
"vendor": "bigbluebutton",
"product": "bigbluebutton",
"versions": [
{
"version": "< 2.6.12",
"status": "affected"
},
{
"version": ">= 2.7.0-alpha.1, < 2.7.0-rc.1",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
37.9%