CVE-2023-33176 (GCVE-0-2023-33176)

Vulnerability from cvelistv5 – Published: 2023-06-26 19:50 – Updated: 2024-11-12 15:18
VLAI?
Title
Blind SSRF When Uploading Presentation in BigBlueButton
Summary
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.
Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
bigbluebutton bigbluebutton Affected: >= 2.6.0, < 2.6.9
Affected: < 2.5.18
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:39:35.770Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18045",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18052",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-33176",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T15:18:33.796074Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T15:18:46.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bigbluebutton",
          "vendor": "bigbluebutton",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.6.0, \u003c 2.6.9"
            },
            {
              "status": "affected",
              "version": "\u003c 2.5.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-26T19:50:25.212Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18045",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18052",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
        }
      ],
      "source": {
        "advisory": "GHSA-3q22-hph2-cff7",
        "discovery": "UNKNOWN"
      },
      "title": "Blind SSRF When Uploading Presentation in BigBlueButton"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-33176",
    "datePublished": "2023-06-26T19:50:25.212Z",
    "dateReserved": "2023-05-17T22:25:50.696Z",
    "dateUpdated": "2024-11-12T15:18:46.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.5.18\", \"matchCriteriaId\": \"3B7CCA1A-4A56-43B9-A9AA-BB999FB98A72\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.6.0\", \"versionEndExcluding\": \"2.6.9\", \"matchCriteriaId\": \"55138784-E1EC-452E-8534-460BBB2A0C7C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.\"}]",
      "id": "CVE-2023-33176",
      "lastModified": "2024-11-21T08:05:03.173",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}]}",
      "published": "2023-06-26T20:15:10.063",
      "references": "[{\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-33176\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-26T20:15:10.063\",\"lastModified\":\"2024-11-21T08:05:03.173\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5.18\",\"matchCriteriaId\":\"3B7CCA1A-4A56-43B9-A9AA-BB999FB98A72\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.6.9\",\"matchCriteriaId\":\"55138784-E1EC-452E-8534-460BBB2A0C7C\"}]}]}],\"references\":[{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18045\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18052\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18045\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18052\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:39:35.770Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-33176\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-12T15:18:33.796074Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-12T15:18:40.851Z\"}}], \"cna\": {\"title\": \"Blind SSRF When Uploading Presentation in BigBlueButton\", \"source\": {\"advisory\": \"GHSA-3q22-hph2-cff7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"bigbluebutton\", \"product\": \"bigbluebutton\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.6.0, \u003c 2.6.9\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.5.18\"}]}], \"references\": [{\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-26T19:50:25.212Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-33176\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-12T15:18:46.803Z\", \"dateReserved\": \"2023-05-17T22:25:50.696Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-26T19:50:25.212Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.