CVE-2023-33176 Information

Description

BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an insertDocument API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the followRedirect method in the PresentationUrlDownloadService has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols and presentationDownloadBlockedHosts have also been added to bigbluebutton.properties to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument must conform to the requirements of the two previously mentioned properties. Additionally these URLs must resolve to valid addresses and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.

Reference

https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7 https://github.com/bigbluebutton/bigbluebutton/pull/18045 https://github.com/bigbluebutton/bigbluebutton/pull/18052 https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71