BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
References
Link | Resource |
---|---|
https://docs.bigbluebutton.org/dev/api.html | Product |
https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-10-21T14:09:11
Updated: 2020-10-21T14:09:11
Reserved: 2020-10-21T00:00:00
Link: CVE-2020-27604
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-10-21T15:15:26.967
Modified: 2020-10-30T14:31:59.867
Link: CVE-2020-27604
JSON object: View
Redhat Information
No data.
CWE