Lucene search

GitHub_MVULNRICHMENT:CVE-2024-38518

HistoryJun 28, 2024 - 8:25 p.m.

CVE-2024-38518 bbb-web API additional parameters considered

2024-06-2820:25:40

CWE-284

GitHub_M

github.com

bigbluebutton

web api

additional parameters

signed join link

moderator role

vulnerability

patch

version 2.6.18

version 2.7.8

version 3.0.0-alpha.7

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be “role=moderator”, allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

CNA Affected

[
  {
    "vendor": "bigbluebutton",
    "product": "bigbluebutton",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.6.18"
      },
      {
        "status": "affected",
        "version": ">= 2.7.0, < 2.7.8"
      },
      {
        "status": "affected",
        "version": ">= 2.8.0, < 3.0.0-alpha.7"
      }
    ]
  }
]

References

github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1

github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72

github.com/bigbluebutton/bigbluebutton/pull/20279

github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4