CVE-2022-29236

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/bigbluebutton/bigbluebutton/pull/13803	Patch Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/14265	Patch Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18	Release Notes Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6	Release Notes Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:bigbluebutton:bigbluebutton::::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5::::::

History

08 Mar 2024, 19:15

Type	Values Removed	Values Added
Summary	(en) BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.	(en) BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.

09 Jun 2022, 17:39

Type	Values Removed	Values Added
First Time		Bigbluebutton bigbluebutton Bigbluebutton
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 4.3
References	~~(CONFIRM) https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r -~~	(CONFIRM) https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r - Patch, Third Party Advisory
References	~~(MISC) https://github.com/bigbluebutton/bigbluebutton/pull/14265 -~~	(MISC) https://github.com/bigbluebutton/bigbluebutton/pull/14265 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/bigbluebutton/bigbluebutton/pull/13803 -~~	(MISC) https://github.com/bigbluebutton/bigbluebutton/pull/13803 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 -~~	(MISC) https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 - Release Notes, Third Party Advisory
References	~~(MISC) https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 -~~	(MISC) https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 - Release Notes, Third Party Advisory
CPE		cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:::::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:::::: cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4::::::

02 Jun 2022, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-06-02 00:15

Updated : 2024-03-08 19:15

NVD link : CVE-2022-29236

Mitre link : CVE-2022-29236

CVE.ORG link : CVE-2022-29236

JSON object : View

Products Affected

bigbluebutton

bigbluebutton

CWE

CWE-285

Improper Authorization

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2022-29236

4.3^/10

4.0^/10

Attach tags to `CVE-2022-29236`