Impact
Server-Side Request Forgery (SSRF) is an attack where a malicious actor can abuse an application's functionality to read or modify internal resources. This is typically accomplished by supplying a URL to the server, which the server will then interact with. In an insertDocument API request an admin that knows the API Secret Salt is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first.
Patches
Disabled follow redirect at httpclient.execute since we no longer have to follow it when using finalUrl.
BigBlueButton 2.6.12 patch: #18580
BigBlueButton 2.7.0-rc.1 patch: #18494
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
This is a bypass of GHSA-3q22-hph2-cff7
Credit
devme4f from VNPT-VCI who contacted us via huntr.dev and responsibly disclosed this vulnerability.
Impact
Server-Side Request Forgery (SSRF) is an attack where a malicious actor can abuse an application's functionality to read or modify internal resources. This is typically accomplished by supplying a URL to the server, which the server will then interact with. In an insertDocument API request an admin that knows the API Secret Salt is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first.
Patches
Disabled follow redirect at
httpclient.executesince we no longer have to follow it when usingfinalUrl.BigBlueButton 2.6.12 patch: #18580
BigBlueButton 2.7.0-rc.1 patch: #18494
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
This is a bypass of GHSA-3q22-hph2-cff7
Credit
devme4ffrom VNPT-VCI who contacted us via huntr.dev and responsibly disclosed this vulnerability.