CVE-2022-23488 - OpenCVE

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bigbluebutton	Bigbluebutton

Configuration 1 [-]

OR	cpe:2.3:a:bigbluebutton:bigbluebutton::::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc2::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5::::::

No data.

References

Link	Providers
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-17T00:28:46.567Z

Updated: 2024-08-03T03:43:46.414Z

Reserved: 2022-01-19T21:23:53.762Z

Link: CVE-2022-23488

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-17T01:15:09.293

Modified: 2023-11-07T03:44:10.463

Link: CVE-2022-23488

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23488", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.762Z", "datePublished": "2022-12-17T00:28:46.567Z", "dateUpdated": "2024-08-03T03:43:46.414Z"}, "containers": {"cna": {"title": "BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"version": "< 2.4-rc-6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-17T00:28:46.567Z"}, "descriptions": [{"lang": "en", "value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds."}], "source": {"advisory": "GHSA-j5g3-f74q-rvfq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.414Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*", "matchCriteriaId": "91AA496D-9C0A-4900-96D5-33E4180B74D4", "versionEndExcluding": "2.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*", "matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*", "matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*", "matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*", "matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*", "matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*", "matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "12259673-5B79-40E4-8B08-8CB3B9C1A5A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*", "matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*", "matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*", "matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds."}, {"lang": "es", "value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a la 2.4-rc-6 son vulnerables a la inserci\u00f3n de informaci\u00f3n confidencial en los datos enviados. La configuraci\u00f3n de bloqueo de c\u00e1maras web exclusivas para moderadores no se aplica en el backend, lo que permite a un atacante suscribirse a las c\u00e1maras web de los espectadores, incluso cuando se aplica la configuraci\u00f3n de bloqueo. (El streamId requerido se enviaba a todos los usuarios incluso con la configuraci\u00f3n de bloqueo aplicada). Este problema se solucion\u00f3 en la versi\u00f3n 2.4-rc-6. No hay workaround."}], "id": "CVE-2022-23488", "lastModified": "2023-11-07T03:44:10.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-17T01:15:09.293", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-201"}], "source": "security-advisories@github.com", "type": "Secondary"}]}