Multiple vulnerabilities in BigBlueButton
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-41961 CVE-2022-41962 CVE-2022-23488 |
| CWE-ID | CWE-345 CWE-863 CWE-668 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
BigBlueButton Web applications / Modules and components for CMS |
| Vendor | Blindside Networks |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Insufficient verification of data authenticity
EUVDB-ID: #VU70686
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-41961
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient verification of data authenticity. A remote user can register multiple users and join the meeting with one of them.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBigBlueButton: before 2.4 rc-6
CPE2.3 External linkshttp://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1
http://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
http://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect authorization
EUVDB-ID: #VU70687
Risk: Low
CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-41962
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper access control for setting emoji status. A remote administrator can use the feature of clear status to set any emoji status for other users.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBigBlueButton: before 2.4 rc-6
CPE2.3 External linkshttp://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1
http://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
http://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU70691
Risk: Medium
CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-23488
CWE-ID:
CWE-668 - Exposure of resource to wrong sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper enforcement of moderator-only webcams setting. A remote user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBigBlueButton: before 2.4 rc-6
CPE2.3 External linkshttp://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
http://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
