CVE-2020-27606

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-27606

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27606.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-27606

Published

2020-10-21T15:15:27.110Z

Modified

2026-04-10T04:26:37.734235Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

References

https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type

GIT

Repo

https://github.com/bigbluebutton/bigbluebutton

Events

Introduced

Fixed

563625097e7ebcef462a9e8001798ddb203f1810

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.28"
        }
    ]
}

Affected versions

2.*

2.2-beta-10

2.2-beta-11

2.2-beta-12

2.2-beta-14

2.2-beta-15

2.2-beta-16

2.2-beta-17

2.2-beta-2

2.2-beta-3

2.2-beta-4

2.2-beta-5

2.2-beta-6

2.2-beta-7

2.2-beta-8

2.2-beta-9

2.2-rc-4

2.2-rc-5

2.2-rc-6

Other

dcs-2-a

v0.*

v0.8

v0.8b4

v0.8b4.0

v0.8rc2

v0.9.0-beta

v2.*

v2.2.0

v2.2.1

v2.2.10

v2.2.11-good

v2.2.12

v2.2.14

v2.2.15

v2.2.16

v2.2.17

v2.2.18

v2.2.19

v2.2.2

v2.2.20

v2.2.21

v2.2.22

v2.2.23

v2.2.24

v2.2.25

v2.2.26

v2.2.27

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-27606.json"