Skip to content

Exposure of messages in public chats

High
antobinary published GHSA-3fqh-p4qr-vfm9 Jun 1, 2022

Package

No package listed

Affected versions

2.2, < 2.3.9

Patched versions

2.3.9, 2.4+

Description

Impact

An attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server.

Patches

Patched on BigBlueButton 2.3.9 and higher.

Workarounds

No workarounds.

References

Patched on BigBlueButton 2.3 #12861 and included on BigBlueButton 2.4 as of BigBlueButton 2.4-beta-1.

For more information

If you have any questions or comments about this advisory:

Credits

We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

High

CVE ID

CVE-2022-29232

Weaknesses

No CWEs