Vulnerability Details CVE-2022-29235
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.8%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 4.3
References
- https://github.com/bigbluebutton/bigbluebutton/pull/13788
- https://github.com/bigbluebutton/bigbluebutton/pull/14265
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6
- https://github.com/bigbluebutton/bigbluebutton/pull/13788
- https://github.com/bigbluebutton/bigbluebutton/pull/14265
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6
Products affected by CVE-2022-29235
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.0
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.1
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.10
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.11
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.12
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.14
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.15
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.16
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.17
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.18
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.19
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.2
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.20
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.21
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.22
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.23
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.24
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.25
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.26
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.27
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.28
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.29
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.3
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.30
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.31
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.4
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.5
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.6
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.7
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.8
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.9
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.0
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.1
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.10
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.11
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.12
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.13
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.14
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.15
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.16
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.17
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.2
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.3
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.4
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.5
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.6
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.7
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.8
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.9
-
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4