Skip to content

Improper access control for breakout rooms

Low
antobinary published GHSA-3mr9-p9gw-cf33 Jun 1, 2022

Package

No package listed

Affected versions

2.2, <2.3.18, <2.4-rc-1

Patched versions

2.3.18, 2.4-rc-1

Description

Impact

In BigBlueButton before 2.3.18, an attacker could circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks relied on knowledge of internal ids rather than on verification of the role of the user.

Patches

Patched on BigBlueButton 2.4-rc-1 and higher.
Patched on BigBlueButton 2.3.18 and higher.

Workarounds

No workaround.

References

Patched on BigBlueButton 2.4 #13117
Patched on BigBlueButton 2.3 #14265

For more information

If you have any questions or comments about this advisory:

Credits

We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

Low

CVE ID

CVE-2022-29233

Weaknesses

No CWEs