Home > Vulnerability Database > CVE-2022-29233

Mend.io Vulnerability Database

CVE-2022-29233

Good to know:

Date: June 1, 2022

BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.

Language: JS

Severity Score

4.3

Related Resources (7)

Url: https://github.com/bigbluebutton/bigbluebutton/pull/14265

Url: https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1

Url: https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33

Url: https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-29233

Url: https://github.com/bigbluebutton/bigbluebutton/pull/13117

Url: https://www.mend.io/vulnerability-database/CVE-2022-29233

Severity Score

4.3

Weakness Type (CWE)

Improper Authorization

CWE-285

Top Fix

Upgrade Version

Upgrade to version v2.3.18,v2.4-rc-1

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-29233

Good to know:

Date: June 1, 2022

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?