CVE-2024-39302 LOW

CVE-2024-39302: Some bbb-record-core files installed with wrong file permission

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-269
Published June 28, 2024
Last update August 2, 2024

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

Key dates

02Disclosure timeline

June 28, 2024 CVE published
August 2, 2024 Record updated