Headline
CVE-2023-43798: Blind SSRF When Uploading Presentation (mitigation bypass)
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at httpclient.execute since the software no longer has to follow it when using finalUrl. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
Impact
Server-Side Request Forgery (SSRF) is an attack where a malicious actor can abuse an application’s functionality to read or modify internal resources. This is typically accomplished by supplying a URL to the server, which the server will then interact with. In an insertDocument API request an admin that knows the API Secret Salt is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first.
Patches
Disabled follow redirect at httpclient.execute since we no longer have to follow it when using finalUrl.
BigBlueButton 2.6.12 patch: #18580
BigBlueButton 2.7.0-rc.1 patch: #18494
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
This is a bypass of GHSA-3q22-hph2-cff7
Credit
devme4f from VNPT-VCI who contacted us via huntr.dev and responsibly disclosed this vulnerability.