CVE-2022-29235

Limited data exposure for shared external videos in BigBlueButton

Description

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.

References

Link	Tags
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6	third party advisory patch
https://github.com/bigbluebutton/bigbluebutton/pull/13788	third party advisory patch
https://github.com/bigbluebutton/bigbluebutton/pull/14265	third party advisory patch
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18	third party advisory release notes
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6	third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2022-29235?: CVE-2022-29235 has been scored as a medium severity vulnerability.
How to fix CVE-2022-29235?: To fix CVE-2022-29235, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-29235 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-29235 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-29235?: CVE-2022-29235 affects bigbluebutton bigbluebutton.

Description

Category

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

References

Frequently Asked Questions