Описание
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at httpclient.execute since the software no longer has to follow it when using finalUrl. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
Ссылки
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.6.12 (исключая)
Одно из
cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta3:*:*:*:*:*:*
EPSS
Процентиль: 9%
0.00031
Низкий
5.6 Medium
CVSS3
5.4 Medium
CVSS3
Дефекты
CWE-918
EPSS
Процентиль: 9%
0.00031
Низкий
5.6 Medium
CVSS3
5.4 Medium
CVSS3
Дефекты
CWE-918