Vulnerabilities > CVE-2020-27609 - Incorrect Authorization vulnerability in Bigbluebutton

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

bigbluebutton

CWE-863

NVD

Published: 2020-10-21

Updated: 2020-10-29

Summary

BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.

Vulnerable Configurations

Part	Description	Count
Application	Bigbluebutton Bigbluebutton Bigbluebutton 2.2.7 Bigbluebutton Bigbluebutton 2.2.8 Bigbluebutton Bigbluebutton 2.2.25 Bigbluebutton Bigbluebutton 2.2.26 Bigbluebutton Bigbluebutton 2.2.27 Bigbluebutton Bigbluebutton 2.2.28	6

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://docs.bigbluebutton.org/admin/privacy.html
https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html