CVE-2022-29235
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/06/2022
Last modified:
08/03/2024
Description
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:* | 2.2.0 (including) | 2.3.18 (excluding) |
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:* | ||
| cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/bigbluebutton/bigbluebutton/pull/13788
- https://github.com/bigbluebutton/bigbluebutton/pull/14265
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6