CVE-2022-36028 – CVE-2022-36028 is an open redirect vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2022-36028?

CVE-2022-36028 has a CVSS score of 9.1 (CRITICAL). CVE-2022-36028 is an open redirect vulnerability in Greenlight, the web interface for BigBlueButton servers. Attackers can manipulate the 'return_to' cookie during login to redirect users to malicious websites after authentication. This affects all Greenlight installations prior to version 2.13.0.

📋 TL;DR

CVE-2022-36028 is an open redirect vulnerability in Greenlight, the web interface for BigBlueButton servers. Attackers can manipulate the 'return_to' cookie during login to redirect users to malicious websites after authentication. This affects all Greenlight installations prior to version 2.13.0.

💻 Affected Systems

Products:

Greenlight (BigBlueButton web interface)

Versions: All versions prior to 2.13.0

Operating Systems: Any OS running Greenlight

Default Config Vulnerable: ⚠️ Yes

Notes: All Greenlight deployments with default configurations are vulnerable. The vulnerability exists in the login page functionality.

📦 What is this software?

Greenlight by Bigbluebutton

View all CVEs affecting Greenlight →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be redirected to phishing sites that steal credentials or deliver malware, potentially compromising entire organizations through credential theft or malware infections.

🟠

Likely Case

Attackers redirect authenticated users to phishing pages to steal session tokens or credentials, leading to account compromise.

🟢

If Mitigated

With proper user awareness training and browser security controls, users might recognize suspicious redirects, limiting damage to isolated incidents.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit requires no authentication and is simple to execute by manipulating cookie values. Proof-of-concept details are available in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.13.0

Vendor Advisory: https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623

Restart Required: Yes

Instructions:

1. Backup your Greenlight installation and database. 2. Update to Greenlight version 2.13.0 or later. 3. Restart the Greenlight service. 4. Verify the fix by testing the login redirect functionality.

🔧 Temporary Workarounds

Cookie Validation Filter

all

Implement server-side validation to ensure 'return_to' cookie values only contain allowed domains

Modify Greenlight source code to validate return_to parameter against allowed domains

🧯 If You Can't Patch

Implement WAF rules to block redirects to external domains from login endpoints
Monitor logs for suspicious redirect patterns and implement user awareness training about phishing risks

🔍 How to Verify

Check if Vulnerable:

Test by setting a malicious 'return_to' cookie during login and checking if redirect occurs to external domain

Check Version:

Check Greenlight version in web interface or run 'cat /usr/share/bbb-web/config/initializers/version.rb' on server

Verify Fix Applied:

After patching, attempt the same exploit - redirects should only go to allowed internal domains

📡 Detection & Monitoring

Log Indicators:

Unusual redirect patterns in access logs
Login attempts with suspicious return_to parameters

Network Indicators:

HTTP 302 redirects to external domains after successful authentication

SIEM Query:

source="greenlight_access.log" AND (status=302 OR status=301) AND url CONTAINS "return_to" AND url NOT CONTAINS "allowed-domain.com"

📊 Metadata

CVE ID: CVE-2022-36028

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-601

Published: April 25, 2024

Last Updated: April 24, 2025

🔗 References

https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623 Patch
https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps:// Broken Link,Third Party Advisory
https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623 Patch
https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps:// Broken Link,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36028, you might also want to check these: