CVE-2023-42804 LOW

CVE-2023-42804: BigBlueButton Path Traversal – Reading Certain File Extensions

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-22 · Path traversal
Published October 30, 2023
Last update September 5, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.

Key dates

02Disclosure timeline

October 30, 2023 CVE published
September 5, 2024 Record updated