CVE-2024-38518

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1
https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72
https://github.com/bigbluebutton/bigbluebutton/pull/20279
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4
https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1
https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72
https://github.com/bigbluebutton/bigbluebutton/pull/20279
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4

Configurations

No configuration.

History

21 Nov 2024, 09:26

Type	Values Removed	Values Added
References	~~() https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1 -~~	() https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1 -
References	~~() https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72 -~~	() https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72 -
References	~~() https://github.com/bigbluebutton/bigbluebutton/pull/20279 -~~	() https://github.com/bigbluebutton/bigbluebutton/pull/20279 -
References	~~() https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4 -~~	() https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4 -

01 Jul 2024, 12:37

Type	Values Removed	Values Added
Summary		(es) BigBlueButton es un aula virtual de código abierto diseñada para ayudar a los profesores a enseñar y a los alumnos a aprender. Un atacante con un enlace de entrada válido para una reunión puede engañar a BigBlueButton para que genere un enlace de entrada firmado con parámetros adicionales. Uno de esos parámetros puede ser "rol=moderador", lo que permite a un atacante unirse a una reunión como moderador utilizando un enlace para unirse que se creó originalmente para el acceso de los espectadores. Esta vulnerabilidad ha sido parcheada en las versiones 2.6.18, 2.7.8 y 3.0.0-alpha.7.

28 Jun 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-28 21:15

Updated : 2024-11-21 09:26

NVD link : CVE-2024-38518

Mitre link : CVE-2024-38518

CVE.ORG link : CVE-2024-38518

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

4.6 /10