We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-43798

BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass)



AssignerGitHub_M
Reserved2023-09-22
Published2023-10-30
Updated2024-09-05

Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.



MEDIUM: 5.6CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 2.6.12
affected

>= 2.7.0-alpha.1, < 2.7.0-rc.1
affected

References

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7

https://github.com/bigbluebutton/bigbluebutton/pull/18494

https://github.com/bigbluebutton/bigbluebutton/pull/18580

cve.org CVE-2023-43798

nvd.nist.gov CVE-2023-43798

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-43798
Subscribe to our newsletter to learn more about our work.