SB2022060143 - Multiple vulnerabilities in BigBlueButton
Published: June 1, 2022 Updated: May 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2022-29236)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to circumvent access restrictions for drawing on the whiteboard.
The vulnerability exists due to improper access control in the whiteboard pencil annotation permission check on the server when handling pencil annotation actions. A remote user can send unauthorized annotation actions to circumvent access restrictions for drawing on the whiteboard.
The attacker must be a meeting participant.
2) Improper access control (CVE-ID: CVE-2022-29235)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose limited information about a shared external video.
The vulnerability exists due to improper access control in the external video data stream when obtaining a meeting identifier for a meeting on the server. A remote attacker can access information such as the current timestamp and play or pause state to disclose limited information about a shared external video.
3) Improper access control (CVE-ID: CVE-2022-29234)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass chat lock restrictions.
The vulnerability exists due to improper access control in public/private chat lock enforcement when lock settings are changed during a meeting. A remote user can send messages within the 5-second grace period to bypass chat lock restrictions.
The issue affects participants in the meeting and is limited to a 5-second window after a lock setting change.
Remediation
Install update from vendor's website.
References
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r
- https://github.com/bigbluebutton/bigbluebutton/pull/13803
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6
- https://github.com/bigbluebutton/bigbluebutton/pull/13788
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv
- https://github.com/bigbluebutton/bigbluebutton/pull/13850