CVE-2023-43798

EPSS 0.42%
Veröffentlicht 30.10.2023 23:15:08
Zuletzt bearbeitet 21.11.2024 08:24:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass)

Blind SSRF When Uploading Presentation (mitigation bypass)

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.

Mögliche Gegenmaßnahme

Server: There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 7 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

BigBlueButton ≫ BigBlueButton Version < 2.6.12

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatealpha1

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatealpha2

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatealpha3

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatebeta1

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatebeta2

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatebeta3

Weitere Schwachstelleninformationen

SystemBigBlueButton

≫

Produkt Server

Version >= 0.0.0, < 2.6.12

Version >= 2.7.0, < 2.7.0-rc.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.332

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	5.6	2.2	3.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/18494

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/18580

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-43798

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-43798

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-43798

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-43798