Improper privilege management - Anyone can view room settings. in bigbluebutton/greenlight


Reported on

May 22nd 2022


Hi bigbluebutton maintainers, I would like to report an improper privilege management, this allows anyone to view any room settings.

Proof of Concept

  1. To demonstrate the vulnerability, I've created a room
  2. Run this curl command to get the room settings
curl -i -s -k -X $'GET' \
    -H $'Host:' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Dnt: 1' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' \

The response looks like

  1. Note that there is no token/secret in the above curl command


Allowing anyone to view any room settings

We are processing your report and will contact the bigbluebutton/greenlight team within 24 hours. a month ago
We have contacted a member of the bigbluebutton/greenlight team and are waiting to hear back a month ago
We have sent a follow up to the bigbluebutton/greenlight team. We will try again in 7 days. a month ago
Anton Georgiev
a month ago


Hi @xiviu!

Thank you for reporting this!!

Overall you are spot-on with your finding about the issue and how to trigger it. However, it is part of a different component of BigBlueButton.

Could you please tweak this (or re-open it) towards GreenLight -- version 2.12.5

For "Occurence" you could point to

Please tweak it so that when we patch it the fix link is to the tagetted project. Much appreciated!


25 days ago


Hi @admin, how should I proceed with this?

Anton Georgiev
25 days ago


Hi @xiviu, Please open a new report but use version 2.12.5 instead of

For "Occurence" you could point to instead of the current

Once you open the new (more accurate) report we can close this one.

Thanks again! -Anton

We have sent a second follow up to the bigbluebutton/greenlight team. We will try again in 10 days. 24 days ago
Jamie Slome
23 days ago


@antobinary - sorted 👍

The report is now pointing to the greenlight repository and I have updated the occurrence to your suggestion :)

Let me know if you have any further questions or issues!

Anton Georgiev modified the Severity from High to Low 18 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Anton Georgiev validated this vulnerability 18 days ago

Thanks @xiviu for the report! Thanks @Jamie for applying the tweaks to the report!

We confirm this is a an issue with GreenLight <=2.12.5 and we're looking into patching it.

Upon further investigation the actual severity is Low though, the information that could be revealed to the world is just a few settings related to the meeting. No ids, no secrets, no user data etc. We are still going to patch it, of course.

We have created a GitHub Security Advisory (private for the moment, will be published after the patch has been released, and after some time was provided for administrators to upgrade.) That advisory will have a CVE associated with, so no need to duplicate this here.

xiviu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the bigbluebutton/greenlight team. We will try again in 7 days. 15 days ago
Anton Georgiev
11 days ago


Hi @xiviu,

We have fixed the issue via and released a patch -

On June 17 (in 3 days) we will be in a position to mark this as fixed. We provided a few days to our community to upgrade their GreenLight to the patched version.

We have sent a second fix follow up to the bigbluebutton/greenlight team. We will try again in 10 days. 8 days ago
Anton Georgiev
4 days ago


We have made public the security advisory -

Anton Georgiev confirmed that a fix has been merged on d4edbe 4 days ago
The fix bounty has been dropped
to join this conversation