We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
Reserved 2023-09-22 | Published 2023-10-30 | Updated 2024-09-05 | Assigner GitHub_MCWE-918: Server-Side Request Forgery (SSRF)
github.com/...button/security/advisories/GHSA-h98v-2h8w-99c4
github.com/...button/security/advisories/GHSA-3q22-hph2-cff7
github.com/bigbluebutton/bigbluebutton/pull/18494
github.com/bigbluebutton/bigbluebutton/pull/18580
Support options