CVE-2022-29235

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
bigbluebuttonbigbluebutton
2.2.0 ≤
𝑥
< 2.3.18
bigbluebuttonbigbluebutton
2.4:alpha1
bigbluebuttonbigbluebutton
2.4:alpha2
bigbluebuttonbigbluebutton
2.4:beta1
bigbluebuttonbigbluebutton
2.4:beta2
bigbluebuttonbigbluebutton
2.4:beta3
bigbluebuttonbigbluebutton
2.4:beta4
bigbluebuttonbigbluebutton
2.4:rc1
bigbluebuttonbigbluebutton
2.4:rc3
bigbluebuttonbigbluebutton
2.4:rc4
bigbluebuttonbigbluebutton
2.4:rc5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/bigbluebutton/bigbluebutton/pull/13788
https://github.com/bigbluebutton/bigbluebutton/pull/14265
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6
https://github.com/bigbluebutton/bigbluebutton/pull/13788
https://github.com/bigbluebutton/bigbluebutton/pull/14265
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6