CVE-2022-23488

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-23488

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23488.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-23488

Aliases

GHSA-j5g3-f74q-rvfq

Published

2022-12-17T00:28:46.567Z

Modified

2026-02-21T01:15:52.830687Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data

Details

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.

Database specific

{
    "cwe_ids": [
        "CWE-200",
        "CWE-201"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23488.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type: GIT
Repo: https://github.com/bigbluebutton/bigbluebutton
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

07cfcd376a44aceb543bcb8f098cf34d73b6b8bf

Affected versions

0.*

0.81-dev-deskshare-fixes-compatible-with-0.8

2.*

2.2-beta-10

2.2-beta-11

2.2-beta-12

2.2-beta-14

2.2-beta-15

2.2-beta-16

2.2-beta-17

2.2-beta-18

2.2-beta-19

2.2-beta-2

2.2-beta-20

2.2-beta-21

2.2-beta-22

2.2-beta-23

2.2-beta-3

2.2-beta-4

2.2-beta-5

2.2-beta-6

2.2-beta-7

2.2-beta-8

2.2-beta-9

2.2-rc-1

2.2-rc-2

2.2-rc-3

2.2-rc-4

2.2-rc-5

2.2-rc-6

2.4-rc-2

Other

dcs-2-a

pre-recording-merge

v0.*

v0.7

v0.71

v0.71a

v0.8

v0.81

v0.81b

v0.81rc

v0.81rc2

v0.81rc3

v0.81rc4

v0.81rc5

v0.8b4

v0.8b4.0

v0.8rc2

v0.9.0-beta

v0.9.1

v0.9.2

v1.*

v1.0.0

v1.1.0

v2.*

v2.0-rc2

v2.0-rc3

v2.0-rc4

v2.0-rc5

v2.0-rc6

v2.0-rc7

v2.0.x-html5-beta1

v2.2.0

v2.2.1

v2.2.10

v2.2.11-good

v2.2.12

v2.2.14

v2.2.15

v2.2.16

v2.2.17

v2.2.18

v2.2.19

v2.2.2

v2.2.20

v2.2.21

v2.2.22

v2.2.23

v2.2.24

v2.2.25

v2.2.26

v2.2.27

v2.2.28

v2.2.29

v2.2.3

v2.2.30

v2.2.31

v2.2.32

v2.2.33

v2.2.34

v2.2.35

v2.2.36

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3-alpha-1

v2.3-alpha-2

v2.3-alpha-3

v2.3-alpha-4

v2.3-alpha-5

v2.3-alpha-6

v2.3-alpha-7

v2.3-alpha-8

v2.3-beta-1

v2.3-beta-2

v2.3-beta-3

v2.3-beta-4

v2.3-beta-5

v2.3-rc-1

v2.3-rc-2

v2.3.0

v2.3.1

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4-alpha-1

v2.4-alpha-2

v2.4-beta-1

v2.4-beta-2

v2.4-beta-3

v2.4-beta-4

v2.4-rc-1

v2.4-rc-3

v2.4-rc-4

v2.4-rc-5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23488.json"