CVE-2024-39302

Published: Jun 28, 2024Modified: Nov 21, 2024

3.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 2.2 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (8)

https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18

Source: security-advisories@github.com

https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a

Source: security-advisories@github.com

https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a

Source: security-advisories@github.com

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q

Source: security-advisories@github.com

https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.