CVE-2022-29169

EPSS 0.65%
Veröffentlicht 01.06.2022 23:15:07
Zuletzt bearbeitet 21.11.2024 06:58:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

BigBlueButton ≫ BigBlueButton Version >= 2.2.0 < 2.3.19

BigBlueButton ≫ BigBlueButton Version >= 2.4.0 < 2.4.7

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha1

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha2

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha3

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha4

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha5

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha6

BigBlueButton ≫ BigBlueButton Version2.5 Updatebeta1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.65%	0.701

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/bigbluebutton/bigbluebutton/pull/14886

Patch

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/14896

Patch

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp

Patch

Third Party Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-29169

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-29169

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-29169

EUVD