Skip to content

Improper access control for pencil annotations

Low
antobinary published GHSA-p93g-r9gm-9v6r Jun 1, 2022

Package

No package listed

Affected versions

2.2, <2.3.18, <2.4-rc-6

Patched versions

2.3.18, 2.4-rc-6

Description

Impact

In BigBlueButton before 2.3.18 an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check was inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant.

Patches

Patched in 2.4-rc-6 and higher.
Patched in 2.3.18 and higher.

Workarounds

No workaround.

References

Patch for BigBlueButton 2.4-rc-6 #13803
Patch for BigBlueButton 2.3.18 #14265

For more information

If you have any questions or comments about this advisory:

Credits

We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

Low

CVE ID

CVE-2022-29236

Weaknesses

No CWEs