7.5
CVE-2022-23488
- EPSS 0.07%
- Veröffentlicht 17.12.2022 01:15:09
- Zuletzt bearbeitet 21.11.2024 06:48:39
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginBigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
BigBlueButton ≫ BigBlueButton Version < 2.4
BigBlueButton ≫ BigBlueButton Version2.4 Updatealpha1
BigBlueButton ≫ BigBlueButton Version2.4 Updatealpha2
BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta1
BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta2
BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta3
BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta4
BigBlueButton ≫ BigBlueButton Version2.4 Updaterc1
BigBlueButton ≫ BigBlueButton Version2.4 Updaterc2
BigBlueButton ≫ BigBlueButton Version2.4 Updaterc3
BigBlueButton ≫ BigBlueButton Version2.4 Updaterc4
BigBlueButton ≫ BigBlueButton Version2.4 Updaterc5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.07% | 0.227 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-201 Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.