CVE-2023-42804

30.10.2023, 19:15

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.1 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	3.1 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 54%

Vendor	Product	Version
bigbluebutton	bigbluebutton	𝑥 ≤ 2.5.18
bigbluebutton	bigbluebutton	2.6.0:alpha1
bigbluebutton	bigbluebutton	2.6.0:alpha2
bigbluebutton	bigbluebutton	2.6.0:alpha3
bigbluebutton	bigbluebutton	2.6.0:alpha4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/bigbluebutton/bigbluebutton/pull/15960

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84

https://github.com/bigbluebutton/bigbluebutton/pull/15960

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84