CVE-2022-31039 MEDIUM

CVE-2022-31039: Improper privilege management - Anyone can view room settings in GreenLight

Vendor Bigbluebutton

Product greenlight

Weakness CWE-269

Published June 27, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6.

Key dates

02Disclosure timeline

June 27, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-31039 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/269.html

Related vulnerabilities

04Related CVE

CVE-2025-2324 A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder CVE-2024-23457 Anti-tampering can be disabled with uninstall password enforced CVE-2022-42888 WordPress ARMember Plugin <= 5.5.1 is vulnerable to Privilege Escalation CVE-2023-30765 Delta Electronics InfraSuite Device Master Improper Access Control CVE-2023-28436 Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process