1. Home
  2. CVE Database
  3. CVE-2022-29236
MEDIUM · 4.3

CVE-2022-29236

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard...

Vulnerability Description

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
BigbluebuttonBigbluebutton>= 2.2.0, < 2.3.18

Related Weaknesses (CWE)

CWE-285

References

FAQ

What is CVE-2022-29236?

CVE-2022-29236 is a vulnerability with a CVSS score of 4.3 (MEDIUM). BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard...

How severe is CVE-2022-29236?

CVE-2022-29236 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29236?

Check the references section above for vendor advisories and patch information. Affected products include: Bigbluebutton Bigbluebutton.