CyberSec.Space Logo
Back to CVE Browser

CVE-2020-12443

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0890%
EPSS Percentile2.03th
PublishedApr 29, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.

Affected Platforms (CPE)

πŸ“¦
Bigbluebutton

Bigbluebutton

< 2.2.6

References & Advisories

πŸ”— https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463
πŸ”— https://github.com/mclab-hbrs/BBB-POC
πŸ”— https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463
πŸ”— https://github.com/mclab-hbrs/BBB-POC

Related Vulnerabilities

CVE-2020-276029.8

BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.

CVE-2020-276059.8

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks...

CVE-2020-261638.8

BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a vict...

CVE-2020-276138.4

The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local...