CVE-2020-12443

2020-04-2902:15:11

Google

osv.dev

7.5 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.1%

JSON

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a …/ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.

CPENameOperatorVersion
bigbluebuttoneq0.8b4
bigbluebuttoneq2.2-beta-2
bigbluebuttoneq2.0-rc7
bigbluebuttoneq2.2-beta-17
bigbluebuttoneq0.81-dev-deskshare-fixes-compatible-with-0.8
bigbluebuttoneqpre-recording-merge
bigbluebuttoneq0.9.2
bigbluebuttoneq2.0-rc4
bigbluebuttoneq2.2-beta-11
bigbluebuttoneq2.2-beta-4

Name	Operator	Version
bigbluebutton	eq	0.8b4
bigbluebutton	eq	2.2-beta-2
bigbluebutton	eq	2.0-rc7
bigbluebutton	eq	2.2-beta-17
bigbluebutton	eq	0.81-dev-deskshare-fixes-compatible-with-0.8
bigbluebutton	eq	pre-recording-merge
bigbluebutton	eq	0.9.2
bigbluebutton	eq	2.0-rc4
bigbluebutton	eq	2.2-beta-11
bigbluebutton	eq	2.2-beta-4