{"containers": {"cna": {"title": "Limited data exposure for shared external videos in BigBlueButton", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13788", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"version": ">= 2.2, < 2.3.18", "status": "affected"}, {"version": ">= 2.4-alpha-1, < 2.4-rc-6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-08T18:44:57.111Z"}, "descriptions": [{"lang": "en", "value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds."}], "source": {"advisory": "GHSA-x82p-j22f-v4q6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.233Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13788", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29235", "datePublished": "2022-06-01T23:25:18.000Z", "dateReserved": "2022-04-13T00:00:00.000Z", "dateUpdated": "2024-08-03T06:17:54.233Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*", "matchCriteriaId": "60814A0D-57C0-4407-B7DD-26A9D5C3DBB1", "versionEndExcluding": "2.3.18", "versionStartIncluding": "2.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*", "matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*", "matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*", "matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*", "matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*", "matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*", "matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*", "matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*", "matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*", "matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds."}, {"lang": "es", "value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. A partir de la versi\u00f3n 2.2 y versiones hasta 2.3.18 y 2.4-rc-6, un atacante que sea capaz de obtener el identificador de una reuni\u00f3n en un servidor puede encontrar informaci\u00f3n relacionada con un v\u00eddeo externo que esta siendo compartiendo, como la marca de tiempo actual y la reproducci\u00f3n/pausa. El problema ha sido parcheado en versiones 2.3.18 y 2.4-rc-6, al modificar el flujo para enviar los datos s\u00f3lo para usuarios de la reuni\u00f3n. Actualmente no son conocidas mitigaciones"}], "id": "CVE-2022-29235", "lastModified": "2024-11-21T06:58:46.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-02T00:15:08.390", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}