CVE-2023-33176 (GCVE-0-2023-33176)
Vulnerability from cvelistv5
Published
2023-06-26 19:50
Modified
2024-11-12 15:18
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Summary
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.
References
security-advisories@github.comhttps://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415Patch
security-advisories@github.comhttps://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71Patch
security-advisories@github.comhttps://github.com/bigbluebutton/bigbluebutton/pull/18045Patch
security-advisories@github.comhttps://github.com/bigbluebutton/bigbluebutton/pull/18052Issue Tracking
security-advisories@github.comhttps://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/bigbluebutton/bigbluebutton/pull/18045Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/bigbluebutton/bigbluebutton/pull/18052Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7Vendor Advisory
Impacted products
Vendor Product Version
bigbluebutton bigbluebutton Version: >= 2.6.0, < 2.6.9
Version: < 2.5.18
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:39:35.770Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18045",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18052",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
          },
          {
            "name": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-33176",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T15:18:33.796074Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T15:18:46.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bigbluebutton",
          "vendor": "bigbluebutton",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.6.0, \u003c 2.6.9"
            },
            {
              "status": "affected",
              "version": "\u003c 2.5.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-26T19:50:25.212Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18045",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/pull/18052",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
        },
        {
          "name": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
        }
      ],
      "source": {
        "advisory": "GHSA-3q22-hph2-cff7",
        "discovery": "UNKNOWN"
      },
      "title": "Blind SSRF When Uploading Presentation in BigBlueButton"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-33176",
    "datePublished": "2023-06-26T19:50:25.212Z",
    "dateReserved": "2023-05-17T22:25:50.696Z",
    "dateUpdated": "2024-11-12T15:18:46.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-33176\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-26T20:15:10.063\",\"lastModified\":\"2024-11-21T08:05:03.173\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5.18\",\"matchCriteriaId\":\"3B7CCA1A-4A56-43B9-A9AA-BB999FB98A72\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.6.9\",\"matchCriteriaId\":\"55138784-E1EC-452E-8534-460BBB2A0C7C\"}]}]}],\"references\":[{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18045\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18052\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18045\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/pull/18052\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:39:35.770Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-33176\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-12T15:18:33.796074Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-12T15:18:40.851Z\"}}], \"cna\": {\"title\": \"Blind SSRF When Uploading Presentation in BigBlueButton\", \"source\": {\"advisory\": \"GHSA-3q22-hph2-cff7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"bigbluebutton\", \"product\": \"bigbluebutton\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.6.0, \u003c 2.6.9\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.5.18\"}]}], \"references\": [{\"url\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18045\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/pull/18052\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"name\": \"https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-26T19:50:25.212Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-33176\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-12T15:18:46.803Z\", \"dateReserved\": \"2023-05-17T22:25:50.696Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-26T19:50:25.212Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.