← Back to CVE List

CVE-2020-12443

Published: 2020-04-29T02:15Z
Last Modified: 2024-11-21T04:59Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt