CVE-2022-29233
Summary
| CVE | CVE-2022-29233 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-06-02 00:15:00 UTC |
| Updated | 2022-06-09 14:56:00 UTC |
| Description | BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds. |
Risk And Classification
Problem Types: CWE-285
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Bigbluebutton | Bigbluebutton | All | All | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.4 | alpha1 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.4 | alpha2 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.4 | beta1 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.4 | beta2 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.4 | beta3 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.4 | beta4 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Improper access control for breakout rooms · Advisory · bigbluebutton/bigbluebutton · GitHub | CONFIRM | github.com | |
| Release BigBlueButton 2.4-rc-1 · bigbluebutton/bigbluebutton · GitHub | MISC | github.com | |
| fix: Constraint viewer capability of request breakout url by jfsiebel · Pull Request #13117 · bigbluebutton/bigbluebutton · GitHub | MISC | github.com | |
| Release BigBlueButton 2.3.18 · bigbluebutton/bigbluebutton · GitHub | MISC | github.com | |
| Backport constraint improvements to 2.3 by Tainan404 · Pull Request #14265 · bigbluebutton/bigbluebutton · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.