Skip to content

Limited data exposure for shared external videos

Low
antobinary published GHSA-x82p-j22f-v4q6 Jun 1, 2022

Package

No package listed

Affected versions

2.2, <2.3.18, <2.4-rc-6

Patched versions

2.3.18, 2.4-rc-6

Description

Impact

If able to obtain the meeting identifier for a meeting on a server, the attacker can find information related to an external video being shared, like the current timestamp and play/pause.

Patches

The problem has been patched in the currently maintained versions of BigBlueButton 2.3 and 2.4 by modifying the stream to send the data only for users in the meeting.

Patched in 2.4-rc-6 and higher.
Patched in 2.3.18 and higher.

Workarounds

No workaround.

References

Patch for BigBlueButton 2.4-rc-6 #13788
Patch for BigBlueButton 2.3.18 #14265

For more information

If you have any questions or comments about this advisory:

Credits

We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

Low

CVE ID

CVE-2022-29235

Weaknesses

No CWEs