CVE-2020-27604

2020-10-2115:15:26

Google

osv.dev

6.6 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

62.0%

JSON

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.

CPENameOperatorVersion
bigbluebuttoneq2.2.3
bigbluebuttoneq0.9.2
bigbluebuttoneq0.9.0-beta
bigbluebuttoneq2.2.0
bigbluebuttoneq2.2-beta-6
bigbluebuttoneq2.2-beta-19
bigbluebuttoneq2.2-rc-2
bigbluebuttoneq0.8
bigbluebuttoneq2.0-rc6
bigbluebuttoneq2.0-rc7

Name	Operator	Version
bigbluebutton	eq	2.2.3
bigbluebutton	eq	0.9.2
bigbluebutton	eq	0.9.0-beta
bigbluebutton	eq	2.2.0
bigbluebutton	eq	2.2-beta-6
bigbluebutton	eq	2.2-beta-19
bigbluebutton	eq	2.2-rc-2
bigbluebutton	eq	0.8
bigbluebutton	eq	2.0-rc6
bigbluebutton	eq	2.0-rc7