Vulnerabilities > CVE-2022-29236 - Unspecified vulnerability in Bigbluebutton
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.
Vulnerable Configurations
References
- https://github.com/bigbluebutton/bigbluebutton/pull/13803
- https://github.com/bigbluebutton/bigbluebutton/pull/13803
- https://github.com/bigbluebutton/bigbluebutton/pull/14265
- https://github.com/bigbluebutton/bigbluebutton/pull/14265
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r