BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Bigbluebutton | Bigbluebutton | 2.2.0 (including) | 2.3.18 (excluding) |
Bigbluebutton | Bigbluebutton | 2.4-alpha1 (including) | 2.4-alpha1 (including) |
Bigbluebutton | Bigbluebutton | 2.4-alpha2 (including) | 2.4-alpha2 (including) |
Bigbluebutton | Bigbluebutton | 2.4-beta1 (including) | 2.4-beta1 (including) |
Bigbluebutton | Bigbluebutton | 2.4-beta2 (including) | 2.4-beta2 (including) |
Bigbluebutton | Bigbluebutton | 2.4-beta3 (including) | 2.4-beta3 (including) |
Bigbluebutton | Bigbluebutton | 2.4-beta4 (including) | 2.4-beta4 (including) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.