SB2023010413 - Multiple vulnerabilities in BigBlueButton
Published: January 4, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Insufficient verification of data authenticity (CVE-ID: CVE-2022-41961)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient verification of data authenticity. A remote user can register multiple users and join the meeting with one of them.
2) Incorrect authorization (CVE-ID: CVE-2022-41962)
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper access control for setting emoji status. A remote administrator can use the feature of clear status to set any emoji status for other users.
3) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2022-23488)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper enforcement of moderator-only webcams setting. A remote user can gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq