CVE-2022-23488: BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data
First published: Sat Dec 17 2022(Updated: )
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bigbluebutton Bigbluebutton | <2.4 | |
| Bigbluebutton Bigbluebutton | =2.4-alpha1 | |
| Bigbluebutton Bigbluebutton | =2.4-alpha2 | |
| Bigbluebutton Bigbluebutton | =2.4-beta1 | |
| Bigbluebutton Bigbluebutton | =2.4-beta2 | |
| Bigbluebutton Bigbluebutton | =2.4-beta3 | |
| Bigbluebutton Bigbluebutton | =2.4-beta4 | |
| Bigbluebutton Bigbluebutton | =2.4-rc1 | |
| Bigbluebutton Bigbluebutton | =2.4-rc2 | |
| Bigbluebutton Bigbluebutton | =2.4-rc3 | |
| Bigbluebutton Bigbluebutton | =2.4-rc4 | |
| Bigbluebutton Bigbluebutton | =2.4-rc5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-23488?
CVE-2022-23488 is a vulnerability in the BigBlueButton web conferencing system that allows attackers to subscribe to viewers' webcams.
What version of BigBlueButton is affected by CVE-2022-23488?
Versions prior to 2.4-rc-6 of BigBlueButton are affected by CVE-2022-23488.
How severe is CVE-2022-23488?
CVE-2022-23488 has a severity rating of 7.5 (high).
How can I fix CVE-2022-23488?
To fix CVE-2022-23488, you should update your BigBlueButton installation to version 2.4-rc-6 or later.
Where can I find more information about CVE-2022-23488?
You can find more information about CVE-2022-23488 on the BigBlueButton GitHub page and the BigBlueButton security advisories page.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/remedy
- agent/severity
- agent/title
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/bigbluebutton
- canonical/bigbluebutton bigbluebutton
- version/bigbluebutton bigbluebutton/2.4-alpha1
- version/bigbluebutton bigbluebutton/2.4-alpha2
- version/bigbluebutton bigbluebutton/2.4-beta1
- version/bigbluebutton bigbluebutton/2.4-beta2
- version/bigbluebutton bigbluebutton/2.4-beta3
- version/bigbluebutton bigbluebutton/2.4-beta4
- version/bigbluebutton bigbluebutton/2.4-rc1
- version/bigbluebutton bigbluebutton/2.4-rc2
- version/bigbluebutton bigbluebutton/2.4-rc3
- version/bigbluebutton bigbluebutton/2.4-rc4
- version/bigbluebutton bigbluebutton/2.4-rc5