Impact
In BigBlueButton before 2.3.18 an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check was inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant.
Patches
Patched in 2.4-rc-6 and higher.
Patched in 2.3.18 and higher.
Workarounds
No workaround.
References
Patch for BigBlueButton 2.4-rc-6 #13803
Patch for BigBlueButton 2.3.18 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
In BigBlueButton before 2.3.18 an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check was inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant.
Patches
Patched in 2.4-rc-6 and higher.
Patched in 2.3.18 and higher.
Workarounds
No workaround.
References
Patch for BigBlueButton 2.4-rc-6 #13803
Patch for BigBlueButton 2.3.18 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.