Description
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.
Affected Software
{"id": "CVE-2022-41960", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-41960", "description": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.", "published": "2022-12-16T00:15:00", "modified": "2022-12-20T19:07:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41960", "reporter": "security-advisories@github.com", "references": ["https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1", "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3", "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"], "cvelist": ["CVE-2022-41960"], "immutableFields": [], "lastseen": "2023-02-09T14:45:01", "viewCount": 31, "enchantments": {"score": {"value": 2.8, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "bigbluebutton", "version": 2}]}, "vulnersScore": 2.8}, "_state": {"dependencies": 1675961342, "score": 1675958347, "affected_software_major_version": 1677380494}, "_internal": {"score_hash": "502185b7ca5bcf32d226b9e0322dc09a"}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "score": 4.3}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-345"], "affectedSoftware": [{"cpeName": "bigbluebutton:bigbluebutton", "version": "2.4.3", "operator": "lt", "name": "bigbluebutton"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4.3:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.3", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1", "name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1", "refsource": "MISC", "tags": ["Release Notes", "Third Party Advisory"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3", "name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3", "refsource": "MISC", "tags": ["Release Notes", "Third Party Advisory"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm", "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm", "refsource": "MISC", "tags": ["Release Notes", "Third Party Advisory"]}], "product_info": [{"vendor": "bigbluebutton", "product": "bigbluebutton"}]}
{}
CVE-2022-41960