BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass)
CVE-2023-43798

5.6MEDIUM

Key Information:

Vendor

Bigbluebutton

Status
Bigbluebutton
Vendor
CVE Published:
30 October 2023

What is CVE-2023-43798?

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at httpclient.execute since the software no longer has to follow it when using finalUrl. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.

Affected Version(s)

bigbluebutton < 2.6.12 < 2.6.12

bigbluebutton >= 2.7.0-alpha.1, < 2.7.0-rc.1 < 2.7.0-alpha.1, 2.7.0-rc.1

References

https://github.com/bigbluebutton/bigbluebutton/security/a...
x_refsource_CONFIRM
https://github.com/bigbluebutton/bigbluebutton/security/a...
x_refsource_MISC
https://github.com/bigbluebutton/bigbluebutton/pull/18494
x_refsource_MISC

CVSS V3.1

Score:
5.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.