BigBlueButton Path Traversal – Reading Certain File Extensions
CVE-2023-42804

3.1LOW

Key Information:

Vendor: Bigbluebutton
Status: Bigbluebutton
Vendor: CVE Published:; 30 October 2023

🔔 Create Bigbluebutton Vulnerability Alert

What is CVE-2023-42804?

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.

Affected Version(s)

bigbluebutton < 2.6.0-beta.1

References

https://github.com/bigbluebutton/bigbluebutton/security/a...

x_refsource_CONFIRM

https://github.com/bigbluebutton/bigbluebutton/pull/15960

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2023
Vulnerability Reserved
Sep 14, 2023

CVE-2023-42804 Data

JSON