Bigbluebutton
CVE-2023-33176
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an insertDocument API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the followRedirect method in the PresentationUrlDownloadService has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts have also been added to bigbluebutton.properties to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.
AnalysisAI
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an insertDocument API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the followRedirect method in the PresentationUrlDownloadService has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts have also been added to bigbluebutton.properties to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton. Affected products include: Bigbluebutton.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
More in Bigbluebutton
View allBigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value ca
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which al
An issue was discovered in BigBlueButton through 2.2.29. Rated high severity (CVSS 7.5), this vulnerability is remotely
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external inte
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access exte
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severi
BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official docu
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop acce
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. Rated medium severity (CVSS 6.5), this vulnerability
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploade
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, w
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today