BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an insertDocument API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the followRedirect method in the PresentationUrlDownloadService has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts have also been added to bigbluebutton.properties to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Bigbluebutton | Bigbluebutton | * | 2.5.18 (excluding) |
| Bigbluebutton | Bigbluebutton | 2.6.0 (including) | 2.6.9 (excluding) |