CVE-2022-29169

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-29169

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29169.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-29169

Aliases

GHSA-rwrv-p665-4vwp

Published

2022-06-01T22:20:12Z

Modified

2025-12-04T10:21:02.052135Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

ReDoS on endpoint html5client/useragent in BigBlueButton

Details

BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using SmartWatch. The maintainers removed htmlclient/useragent from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29169.json"
}

References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type

GIT

Repo

https://github.com/bigbluebutton/bigbluebutton

Events

Introduced

68e35c9d722e62892d2e885646a9eab3bf44f77d

Fixed

e9df2db16f902a453a250819dffd8029f9ca956d

Database specific

{
    "versions": [
        {
            "introduced": "2.2"
        },
        {
            "fixed": "2.3.19"
        }
    ]
}

Type

GIT

Repo

https://github.com/bigbluebutton/bigbluebutton

Events

Introduced

72d5e54e3eb3cd442d23dc097158fe81f1efda82

Fixed

eda21682ea3fd472c8d16fe7ec6bcf0f80370a6f

Database specific

{
    "versions": [
        {
            "introduced": "2.4.0"
        },
        {
            "fixed": "2.4.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/bigbluebutton/bigbluebutton

Events

Introduced

60302d3e353cea201fbd02912302d7f040f0dc27

Fixed

a2ef36723ac49176002cb96f16a205f0f11743c9

Database specific

{
    "versions": [
        {
            "introduced": "2.5-alpha-1"
        },
        {
            "fixed": "2.5.0-beta.2"
        }
    ]
}

Affected versions

v2.*

v2.4.5

v2.4.6

v2.5-alpha-1

v2.5-alpha-2

v2.5-alpha-3

v2.5-alpha-4

v2.5.0-alpha.5

v2.5.0-alpha.6

v2.5.0-beta.1