cvelistv5 - cve-2024-39302

CVE-2024-39302 (GCVE-0-2024-39302)

Vulnerability from cvelistv5 – Published: 2024-06-28 20:51 – Updated: 2024-08-02 04:19

Title

Some bbb-record-core files installed with wrong file permission

Summary

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-269 - Improper Privilege Management

Assigner

GitHub_M

References

URL

Tags

	https://github.com/bigbluebutton/bigbluebutton/se…	x_refsource_CONFIRM
	https://github.com/bigbluebutton/bigbluebutton/co…	x_refsource_MISC
	https://github.com/bigbluebutton/bigbluebutton/co…	x_refsource_MISC
	https://github.com/bigbluebutton/bigbluebutton/co…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	bigbluebutton	bigbluebutton	Affected: < 2.6.18 Affected: >= 2.7.0, < 2.7.8 Affected: >= 2.8.0, < 3.0.0-alpha.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39302",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-01T20:23:04.572464Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-01T21:23:02.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:19:20.698Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bigbluebutton",
          "vendor": "bigbluebutton",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c  2.6.18"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.7.0, \u003c 2.7.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.8.0, \u003c 3.0.0-alpha.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-28T20:51:59.312Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a"
        }
      ],
      "source": {
        "advisory": "GHSA-5966-9hw8-q96q",
        "discovery": "UNKNOWN"
      },
      "title": "Some bbb-record-core files installed with wrong file permission"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-39302",
    "datePublished": "2024-06-28T20:51:59.312Z",
    "dateReserved": "2024-06-21T18:15:22.257Z",
    "dateUpdated": "2024-08-02T04:19:20.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.\\n\"}, {\"lang\": \"es\", \"value\": \"BigBlueButton es un aula virtual de c\\u00f3digo abierto dise\\u00f1ada para ayudar a los profesores a ense\\u00f1ar y a los alumnos a aprender. Un atacante puede explotar los permisos de archivos demasiado elevados en el directorio `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` con el objetivo de escalar privilegios. potencialmente exponer informaci\\u00f3n confidencial en el servidor. Este problema se solucion\\u00f3 en las versiones 2.6.18, 2.7.8 y 3.0.0-alpha.7.\"}]",
      "id": "CVE-2024-39302",
      "lastModified": "2024-11-21T09:27:25.153",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 1.4}]}",
      "published": "2024-06-28T21:15:03.437",
      "references": "[{\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-269\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-39302\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-28T21:15:03.437\",\"lastModified\":\"2024-11-21T09:27:25.153\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.\\n\"},{\"lang\":\"es\",\"value\":\"BigBlueButton es un aula virtual de c\u00f3digo abierto dise\u00f1ada para ayudar a los profesores a ense\u00f1ar y a los alumnos a aprender. Un atacante puede explotar los permisos de archivos demasiado elevados en el directorio `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` con el objetivo de escalar privilegios. potencialmente exponer informaci\u00f3n confidencial en el servidor. Este problema se solucion\u00f3 en las versiones 2.6.18, 2.7.8 y 3.0.0-alpha.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39302\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-01T20:23:04.572464Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-01T21:22:59.521Z\"}}], \"cna\": {\"title\": \"Some bbb-record-core files installed with wrong file permission\", \"source\": {\"advisory\": \"GHSA-5966-9hw8-q96q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bigbluebutton\", \"product\": \"bigbluebutton\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c  2.6.18\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.7.0, \u003c 2.7.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.8.0, \u003c 3.0.0-alpha.7\"}]}], \"references\": [{\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269: Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-28T20:51:59.312Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-39302\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-01T21:23:02.505Z\", \"dateReserved\": \"2024-06-21T18:15:22.257Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-06-28T20:51:59.312Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-39302

Vulnerability from fkie_nvd - Published: 2024-06-28 21:15 - Updated: 2024-11-21 09:27

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18
	security-advisories@github.com	https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a
	security-advisories@github.com	https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a
	security-advisories@github.com	https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.\n"
    },
    {
      "lang": "es",
      "value": "BigBlueButton es un aula virtual de c\u00f3digo abierto dise\u00f1ada para ayudar a los profesores a ense\u00f1ar y a los alumnos a aprender. Un atacante puede explotar los permisos de archivos demasiado elevados en el directorio `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` con el objetivo de escalar privilegios. potencialmente exponer informaci\u00f3n confidencial en el servidor. Este problema se solucion\u00f3 en las versiones 2.6.18, 2.7.8 y 3.0.0-alpha.7."
    }
  ],
  "id": "CVE-2024-39302",
  "lastModified": "2024-11-21T09:27:25.153",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-28T21:15:03.437",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2024-1471

Vulnerability from csaf_certbund - Published: 2024-06-27 22:00 - Updated: 2024-06-27 22:00

Summary

BigBlueButton: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

BigBlueButton ist ein Open-Source-Web-Konferenzsystem.

Angriff

Ein entfernter Angreifer kann mehrere Schwachstellen in BigBlueButton ausnutzen, um Sicherheitsmaßnahmen zu umgehen oder vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "BigBlueButton ist ein Open-Source-Web-Konferenzsystem.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in BigBlueButton ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen oder vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1471 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1471.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1471 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1471"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-4m48-49h7-f3c4 vom 2024-06-27",
        "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-5966-9hw8-q96q vom 2024-06-27",
        "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q"
      }
    ],
    "source_lang": "en-US",
    "title": "BigBlueButton: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-06-27T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:10:39.440+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1471",
      "initial_release_date": "2024-06-27T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-06-27T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.7.8",
                "product": {
                  "name": "Open Source BigBlueButton \u003c2.7.8",
                  "product_id": "T035684"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.6.18",
                "product": {
                  "name": "Open Source BigBlueButton \u003c2.6.18",
                  "product_id": "T035685"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.0.0-alpha.7",
                "product": {
                  "name": "Open Source BigBlueButton \u003c3.0.0-alpha.7",
                  "product_id": "T035686"
                }
              }
            ],
            "category": "product_name",
            "name": "BigBlueButton"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-38518",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in BigBlueButton. Dieser Fehler besteht im API-Anforderungsvalidierungsprozess, der es erm\u00f6glicht, einen signierten Beitrittslink mit zus\u00e4tzlichen Parametern zu generieren, der zum Beitritt zu einem Meeting als Moderator f\u00fchrt. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "release_date": "2024-06-27T22:00:00.000+00:00",
      "title": "CVE-2024-38518"
    },
    {
      "cve": "CVE-2024-39302",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in BigBlueButton. Dieser Fehler besteht aufgrund einer unsachgem\u00e4\u00dfen Rechteverwaltung. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2024-06-27T22:00:00.000+00:00",
      "title": "CVE-2024-39302"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-39302 (GCVE-0-2024-39302)

FKIE_CVE-2024-39302

WID-SEC-W-2024-1471

Tags

Sightings

Nomenclature