CVE-2023-42804 - OpenCVE

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bigbluebutton	Bigbluebutton

Configuration 1 [-]

OR	cpe:2.3:a:bigbluebutton:bigbluebutton::::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha1::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha2::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha3::::::
	cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha4::::::

No data.

References

Link	Providers
https://github.com/bigbluebutton/bigbluebutton/pull/15960
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-30T18:14:41.419Z

Updated: 2024-09-05T20:23:14.540Z

Reserved: 2023-09-14T16:13:33.306Z

Link: CVE-2023-42804

Vulnrichment

Updated: 2024-08-02T19:30:24.724Z

NVD

Status : Analyzed

Published: 2023-10-30T19:15:08.037

Modified: 2023-11-07T23:17:42.680

Link: CVE-2023-42804

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42804", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-14T16:13:33.306Z", "datePublished": "2023-10-30T18:14:41.419Z", "dateUpdated": "2024-09-05T20:23:14.540Z"}, "containers": {"cna": {"title": "BigBlueButton Path Traversal \u2013 Reading Certain File Extensions", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15960", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960"}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"version": "< 2.6.0-beta.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-30T18:14:41.419Z"}, "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds."}], "source": {"advisory": "GHSA-3qjg-229m-vq84", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.724Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15960", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T20:22:39.156360Z", "id": "CVE-2023-42804", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T20:23:14.540Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84", "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960", "name": "https://github.com/bigbluebutton/bigbluebutton/pull/15960", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.724Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T20:22:39.156360Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T20:22:45.674Z"}}], "cna": {"title": "BigBlueButton Path Traversal \u2013 Reading Certain File Extensions", "source": {"advisory": "GHSA-3qjg-229m-vq84", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"status": "affected", "version": "< 2.6.0-beta.1"}]}], "references": [{"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84", "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960", "name": "https://github.com/bigbluebutton/bigbluebutton/pull/15960", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-30T18:14:41.419Z"}}}, "cveMetadata": {"cveId": "CVE-2023-42804", "state": "PUBLISHED", "dateUpdated": "2024-09-05T20:23:14.540Z", "dateReserved": "2023-09-14T16:13:33.306Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-30T18:14:41.419Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F3F6566-B94F-4CBC-B1BA-DACA51865D76", "versionEndIncluding": "2.5.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "83C1F894-31BC-4C2D-AD62-837D990257CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "84EE596E-A3F6-4B29-B51D-CAE19A74D5E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "A8DD6CB9-0B7E-4C4E-BDC6-D8FD1B85882D", "vulnerable": true}, {"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "1BA4033B-60B8-4674-98CA-F5794B905362", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds."}, {"lang": "es", "value": "BigBlueButton es un aula virtual de c\u00f3digo abierto. BigBlueButton anterior a la versi\u00f3n 2.6.0-beta.1 tiene una vulnerabilidad de path traversal que permite a un atacante con una ruta de carpeta de inicio v\u00e1lida atravesar y leer otros archivos sin autenticaci\u00f3n, asumiendo que los archivos tienen ciertas extensiones (txt, swf, svg, png). En la versi\u00f3n 2.6.0-beta.1, se agreg\u00f3 validaci\u00f3n de entrada en los par\u00e1metros que se pasan y se eliminan los caracteres peligrosos. No se conocen workarounds."}], "id": "CVE-2023-42804", "lastModified": "2023-11-07T23:17:42.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-30T19:15:08.037", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}