Skip to main content

Bigbluebutton CVE-2020-27605

CRITICAL
2020-10-21 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 21, 2020 - 15:15 nvd
CRITICAL 9.8

DescriptionNVD

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."

AnalysisAI

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox.". Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox." Affected products include: Bigbluebutton. Version information: through 2.2.28.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-12443 CRITICAL POC
9.8 Apr 29

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value ca

CVE-2020-27613 HIGH POC
8.4 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which al

CVE-2020-29043 HIGH POC
7.5 Nov 26

An issue was discovered in BigBlueButton through 2.2.29. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2020-27610 HIGH POC
7.5 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external inte

CVE-2020-27603 HIGH POC
7.5 Oct 21

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access exte

CVE-2020-12112 HIGH POC
7.5 Apr 23

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severi

CVE-2026-27466 HIGH POC
7.2 Feb 21

BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official docu

CVE-2020-27607 MEDIUM POC
6.5 Oct 21

In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop acce

CVE-2020-27604 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2020-25820 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploade

CVE-2020-27608 MEDIUM POC
6.1 Oct 21

In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, w

CVE-2022-31064 MEDIUM POC
5.4 Jun 27

BigBlueButton is an open source web conferencing system. Rated medium severity (CVSS 5.4), this vulnerability is remotel

Share

CVE-2020-27605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy