We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-43798

BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass)



Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.

Reserved 2023-09-22 | Published 2023-10-30 | Updated 2024-09-05 | Assigner GitHub_M


MEDIUM: 5.6CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 2.6.12
affected

>= 2.7.0-alpha.1, < 2.7.0-rc.1
affected

References

github.com/...button/security/advisories/GHSA-h98v-2h8w-99c4

github.com/...button/security/advisories/GHSA-3q22-hph2-cff7

github.com/bigbluebutton/bigbluebutton/pull/18494

github.com/bigbluebutton/bigbluebutton/pull/18580

cve.org (CVE-2023-43798)

nvd.nist.gov (CVE-2023-43798)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-43798

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.