CVE-2022-29236

EPSS 0.81%
Veröffentlicht 02.06.2022 00:15:08
Zuletzt bearbeitet 21.11.2024 06:58:46
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Improper access control for pencil annotations in BigBlueButton

Improper access control for pencil annotations

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.

Mögliche Gegenmaßnahme

Server: No workaround.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 9

NVD 11 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

BigBlueButton ≫ BigBlueButton Version >= 2.2.0 < 2.3.18

BigBlueButton ≫ BigBlueButton Version2.4 Updatealpha1

BigBlueButton ≫ BigBlueButton Version2.4 Updatealpha2

BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta1

BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta2

BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta3

BigBlueButton ≫ BigBlueButton Version2.4 Updatebeta4

BigBlueButton ≫ BigBlueButton Version2.4 Updaterc1

BigBlueButton ≫ BigBlueButton Version2.4 Updaterc3

BigBlueButton ≫ BigBlueButton Version2.4 Updaterc4

BigBlueButton ≫ BigBlueButton Version2.4 Updaterc5

Weitere Schwachstelleninformationen

SystemBigBlueButton

≫

Produkt Server

Version >= 0.0.0, < 2.3.18

Version >= 2.4-rc-6.0, < 2.4-rc-6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.81%	0.521

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/bigbluebutton/bigbluebutton/pull/14265

Patch

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18

Third Party Advisory

Release Notes

https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6

Third Party Advisory

Release Notes

https://github.com/bigbluebutton/bigbluebutton/pull/13803

Patch

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r

Patch

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-29236

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-29236

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-29236

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-29236