Headline
CVE-2022-29236
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.
Impact
In BigBlueButton before 2.3.18 an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check was inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant.
Patches
Patched in 2.4-rc-6 and higher.
Patched in 2.3.18 and higher.
Workarounds
No workaround.
References
Patch for BigBlueButton 2.4-rc-6 #13803
Patch for BigBlueButton 2.3.18 #14265
For more information
If you have any questions or comments about this advisory:
- Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.