GitHub_MCVELIST:CVE-2024-39302CVE-2024-39302 Some bbb-record-core files installed with wrong file permission
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
0.0004 Low
EPSS
Percentile
15.7%
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the /usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0 directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
CNA Affected
[
{
"vendor": "bigbluebutton",
"product": "bigbluebutton",
"versions": [
{
"version": "< 2.6.18",
"status": "affected"
},
{
"version": ">= 2.7.0, < 2.7.8",
"status": "affected"
},
{
"version": ">= 2.8.0, < 3.0.0-alpha.7",
"status": "affected"
}
]
}
]References
github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18
github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a
github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a
github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
0.0004 Low
EPSS
Percentile
15.7%