CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
41.9%
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an insertDocument
API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the followRedirect
method in the PresentationUrlDownloadService
has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols
and presentationDownloadBlockedHosts
have also been added to bigbluebutton.properties
to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument
must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.
[
{
"vendor": "bigbluebutton",
"product": "bigbluebutton",
"versions": [
{
"version": ">= 2.6.0, < 2.6.9",
"status": "affected"
},
{
"version": "< 2.5.18",
"status": "affected"
}
]
}
]
github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415
github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71
github.com/bigbluebutton/bigbluebutton/pull/18045
github.com/bigbluebutton/bigbluebutton/pull/18052
github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
41.9%