CVE-2020-27604
First published: Wed Oct 21 2020(Updated: )
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bigbluebutton Bigbluebutton | <2.2.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-27604?
CVE-2020-27604 refers to a vulnerability in BigBlueButton versions before 2.3 that allows remote authenticated users to read the API shared secret, potentially compromising the security of the application.
How does CVE-2020-27604 affect BigBlueButton?
CVE-2020-27604 affects BigBlueButton versions before 2.3 by not implementing LibreOffice sandboxing, making it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file.
What is the severity of CVE-2020-27604?
CVE-2020-27604 has a severity of 6.5 (medium).
How can an attacker exploit CVE-2020-27604?
An attacker with access to the API shared secret can use it to join arbitrary meetings by making API requests, potentially leading to unauthorized access.
How can I mitigate CVE-2020-27604?
To mitigate CVE-2020-27604, it is recommended to upgrade to BigBlueButton version 2.3 or later which implements proper LibreOffice sandboxing.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/bigbluebutton
- canonical/bigbluebutton bigbluebutton