CVE-2022-29233: Improper access control for breakout rooms in BigBlue Button
First published: Wed Jun 01 2022(Updated: )
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bigbluebutton Bigbluebutton | >=2.2.0<2.3.18 | |
| Bigbluebutton Bigbluebutton | =2.4-alpha1 | |
| Bigbluebutton Bigbluebutton | =2.4-alpha2 | |
| Bigbluebutton Bigbluebutton | =2.4-beta1 | |
| Bigbluebutton Bigbluebutton | =2.4-beta2 | |
| Bigbluebutton Bigbluebutton | =2.4-beta3 | |
| Bigbluebutton Bigbluebutton | =2.4-beta4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/bigbluebutton/bigbluebutton/pull/13117
- https://github.com/bigbluebutton/bigbluebutton/pull/14265
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33
Frequently Asked Questions
What is CVE-2022-29233?
CVE-2022-29233 is a vulnerability in the BigBlueButton web conferencing system that allows an attacker to bypass access controls and gain access to all breakout rooms of the meeting they are in.
What is the severity of CVE-2022-29233?
CVE-2022-29233 has a severity level of 4.3, which is considered medium.
Which versions of BigBlueButton are affected by CVE-2022-29233?
BigBlueButton versions 2.2 up to 2.3.18 and versions 2.4-alpha1 to 2.4-beta4 are affected by CVE-2022-29233.
How can an attacker exploit CVE-2022-29233?
An attacker can exploit CVE-2022-29233 by circumventing access controls and using internal ids to gain access to all breakout rooms of the meeting they are in.
Are there any patches or fixes available for CVE-2022-29233?
Yes, patches and fixes for CVE-2022-29233 are available in the BigBlueButton releases tagged v2.3.18 and higher.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/remedy
- agent/title
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/softwarecombine
- agent/first-publish-date
- agent/description
- agent/event
- vendor/bigbluebutton
- canonical/bigbluebutton bigbluebutton
- version/bigbluebutton bigbluebutton/2.2.0
- version/bigbluebutton bigbluebutton/2.4-alpha1
- version/bigbluebutton bigbluebutton/2.4-alpha2
- version/bigbluebutton bigbluebutton/2.4-beta1
- version/bigbluebutton bigbluebutton/2.4-beta2
- version/bigbluebutton bigbluebutton/2.4-beta3
- version/bigbluebutton bigbluebutton/2.4-beta4