CVE-2023-33176

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-33176
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-33176.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-33176
Related
  • GHSA-3q22-hph2-cff7
Published
2023-06-26T20:15:10Z
Modified
2025-01-08T15:00:15.524219Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an insertDocument API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the followRedirect method in the PresentationUrlDownloadService has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts have also been added to bigbluebutton.properties to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.

References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type
GIT
Repo
https://github.com/bigbluebutton/bigbluebutton
Events

Affected versions

0.*

0.81-dev-deskshare-fixes-compatible-with-0.8

2.*

2.2-beta-10
2.2-beta-11
2.2-beta-12
2.2-beta-14
2.2-beta-15
2.2-beta-16
2.2-beta-17
2.2-beta-18
2.2-beta-19
2.2-beta-2
2.2-beta-20
2.2-beta-21
2.2-beta-22
2.2-beta-23
2.2-beta-3
2.2-beta-4
2.2-beta-5
2.2-beta-6
2.2-beta-7
2.2-beta-8
2.2-beta-9
2.2-rc-1
2.2-rc-2
2.2-rc-3
2.2-rc-4
2.2-rc-5
2.2-rc-6
2.4-rc-2
2.5.0-rc.3

Other

dcs-2-a
pre-recording-merge

v0.*

v0.7
v0.71
v0.71a
v0.8
v0.81
v0.81b
v0.81rc
v0.81rc2
v0.81rc3
v0.81rc4
v0.81rc5
v0.8b4
v0.8b4.0
v0.8rc2
v0.9.0-beta
v0.9.1
v0.9.2

v1.*

v1.0.0
v1.1.0

v2.*

v2.0-rc2
v2.0-rc3
v2.0-rc4
v2.0-rc5
v2.0-rc6
v2.0-rc7
v2.0.x-html5-beta1
v2.2.0
v2.2.1
v2.2.10
v2.2.11-good
v2.2.12
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.31
v2.2.32
v2.2.33
v2.2.34
v2.2.35
v2.2.36
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3-alpha-1
v2.3-alpha-2
v2.3-alpha-3
v2.3-alpha-4
v2.3-alpha-5
v2.3-alpha-6
v2.3-alpha-7
v2.3-alpha-8
v2.3-beta-1
v2.3-beta-2
v2.3-beta-3
v2.3-beta-4
v2.3-beta-5
v2.3-rc-1
v2.3-rc-2
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4-alpha-1
v2.4-alpha-2
v2.4-beta-1
v2.4-beta-2
v2.4-beta-3
v2.4-beta-4
v2.4-rc-1
v2.4-rc-3
v2.4-rc-4
v2.4-rc-5
v2.4-rc-6
v2.4-rc-7
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5-alpha-1
v2.5-alpha-2
v2.5-alpha-3
v2.5-alpha-4
v2.5.0
v2.5.0-alpha.5
v2.5.0-alpha.6
v2.5.0-beta.1
v2.5.0-beta.2
v2.5.0-rc.1
v2.5.0-rc.2
v2.5.0-rc.4
v2.5.1
v2.5.10
v2.5.11
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0
v2.6.0-alpha.1
v2.6.0-alpha.2
v2.6.0-alpha.3
v2.6.0-alpha.4
v2.6.0-beta.1
v2.6.0-beta.2
v2.6.0-beta.3
v2.6.0-beta.4
v2.6.0-beta.5
v2.6.0-beta.6
v2.6.0-beta.7
v2.6.0-rc.1
v2.6.0-rc.2
v2.6.0-rc.3
v2.6.0-rc.4
v2.6.0-rc.5
v2.6.0-rc.6
v2.6.0-rc.7
v2.6.0-rc.8
v2.6.0-rc.9
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8