CVE-2022-29236

Improper access control for pencil annotations in BigBlueButton

Description

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.

References

Link	Tags
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r	third party advisory patch
https://github.com/bigbluebutton/bigbluebutton/pull/13803	third party advisory patch
https://github.com/bigbluebutton/bigbluebutton/pull/14265	third party advisory patch
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18	third party advisory release notes
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6	third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2022-29236?: CVE-2022-29236 has been scored as a medium severity vulnerability.
How to fix CVE-2022-29236?: To fix CVE-2022-29236, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-29236 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-29236 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-29236?: CVE-2022-29236 affects bigbluebutton bigbluebutton.

Description

Category

CWE-285 – Improper Authorization

References

Frequently Asked Questions