{"id":"CVE-2022-29236","summary":"Improper access control for pencil annotations in BigBlueButton","details":"BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.","aliases":["GHSA-p93g-r9gm-9v6r"],"modified":"2026-04-10T04:47:10.686209Z","published":"2022-06-01T23:25:12Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29236.json","cwe_ids":["CWE-285"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"},{"type":"WEB","url":"https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29236.json"},{"type":"ADVISORY","url":"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29236"},{"type":"FIX","url":"https://github.com/bigbluebutton/bigbluebutton/pull/13803"},{"type":"FIX","url":"https://github.com/bigbluebutton/bigbluebutton/pull/14265"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bigbluebutton/bigbluebutton","events":[{"introduced":"68e35c9d722e62892d2e885646a9eab3bf44f77d"},{"fixed":"0bcb8c2b9e850b99faae7fcfb3d1014e64bff97d"}],"database_specific":{"versions":[{"introduced":"2.2"},{"fixed":"2.3.18"}]}},{"type":"GIT","repo":"https://github.com/bigbluebutton/bigbluebutton","events":[{"introduced":"f037f0a259dd4e6e41e095a5ca4adcb2666bb8dc"},{"fixed":"07cfcd376a44aceb543bcb8f098cf34d73b6b8bf"}],"database_specific":{"versions":[{"introduced":"2.4-alpha-1"},{"fixed":"2.4-rc-6"}]}}],"versions":["2.4-rc-2","v2.4-alpha-1","v2.4-beta-1","v2.4-beta-2","v2.4-beta-3","v2.4-beta-4","v2.4-rc-1","v2.4-rc-3","v2.4-rc-4","v2.4-rc-5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29236.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}