Overview
- Description
- BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
Weaknesses
- security-advisories@github.com
- CWE-918
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "07AC33B9-3067-4848-B48D-ABDD7286DE51",
"versionEndExcluding": "2.6.12"
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C05D5D11-75BE-41FA-A62F-61F35B16BA9A"
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C23D21AA-EF44-4F61-9775-57E3AF206CEE"
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1E95E50E-3C1E-438A-BAEC-AE0DF69B2937"
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A7EC2B6A-1A13-40FE-85D6-30D596813394"
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5A7D33D7-AE88-4ED4-82A4-BCFA7E828AD1"
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "49CCF586-942D-4B21-BFD2-486EF3FCDF7E"
}
],
"operator": "OR"
}
]
}
]