CVE-2023-33176

Summary

CVE-2023-33176 is a Server-Side Request Forgery (SSRF) vulnerability affecting the open-source virtual classroom software, BigBlueButton. In affected versions, an `insertDocument` API request allowed users to supply a URL for presentation download without proper validation. Malicious users could exploit this vulnerability to execute arbitrary requests on the server. To mitigate this issue, BigBlueButton developers updated the `followRedirect` method in the `PresentationUrlDownloadService`. This change validates all URLs for presentation download, ensuring they conform to specified protocols and do not originate from blocked hosts. Two new properties, `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts`, have been added to the `bigbluebutton.properties` file, enabling administrators to define these parameters. All URLs passed to `insertDocument` must adhere to the new property requirements and resolve to valid addresses that are not local or loopback. There are no known workarounds, and users are advised to upgrade to a patched version of BigBlueButton as soon as possible to prevent potential exploitation.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.