We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Assigner | GitHub_M |
Reserved | 2023-09-22 |
Published | 2023-10-30 |
Updated | 2024-09-05 |
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
CWE-918: Server-Side Request Forgery (SSRF)
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7
https://github.com/bigbluebutton/bigbluebutton/pull/18494
https://github.com/bigbluebutton/bigbluebutton/pull/18580