{"id":"CVE-2020-12443","details":"BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.","modified":"2026-04-10T04:22:02.269917Z","published":"2020-04-29T02:15:11.467Z","references":[{"type":"FIX","url":"https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463"},{"type":"EVIDENCE","url":"https://github.com/mclab-hbrs/BBB-POC"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bigbluebutton/bigbluebutton","events":[{"introduced":"0"},{"fixed":"db26d517a066f90f614e45eaf0c3e288a6800e05"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.2.6"}]}}],"versions":["2.2-beta-10","2.2-beta-11","2.2-beta-12","2.2-beta-14","2.2-beta-15","2.2-beta-16","2.2-beta-17","2.2-beta-2","2.2-beta-3","2.2-beta-4","2.2-beta-5","2.2-beta-6","2.2-beta-7","2.2-beta-8","2.2-beta-9","2.2-rc-4","2.2-rc-5","2.2-rc-6","dcs-2-a","v0.8","v0.8b4","v0.8b4.0","v0.8rc2","v0.9.0-beta","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12443.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}