QwikSec

Security Database

CVE

CWE

Training

CVE-2023-43798

Published: Oct 30, 2023

Modified: Sep 5, 2024

PUBLISHED

CVSS v3.1

5.6

MEDIUM

Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.

Vendor	Product	Versions
bigbluebutton	bigbluebutton	affected `< 2.6.12` affected `>= 2.7.0-alpha.1, < 2.7.0-rc.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4

x_refsource_CONFIRM

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7

x_refsource_MISC

https://github.com/bigbluebutton/bigbluebutton/pull/18494

x_refsource_MISC

https://github.com/bigbluebutton/bigbluebutton/pull/18580

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.