CVE-2020-27604

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-27604
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27604.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-27604
Published
2020-10-21T15:15:26.967Z
Modified
2026-04-10T04:25:39.374838Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.

References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type
GIT
Repo
https://github.com/bigbluebutton/bigbluebutton
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d8cb8573e3e22b0124b16108662f8f9a895f062b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.8"
        }
    ]
}

Affected versions

2.*
2.2-beta-10
2.2-beta-11
2.2-beta-12
2.2-beta-14
2.2-beta-15
2.2-beta-16
2.2-beta-17
2.2-beta-2
2.2-beta-3
2.2-beta-4
2.2-beta-5
2.2-beta-6
2.2-beta-7
2.2-beta-8
2.2-beta-9
2.2-rc-4
2.2-rc-5
2.2-rc-6
Other
dcs-2-a
v0.*
v0.8
v0.8b4
v0.8b4.0
v0.8rc2
v0.9.0-beta
v2.*
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27604.json"