CVE-2022-41961

MEDIUM

Bigbluebutton < 2.4 - Origin Validation Error

Title source: rule

Description

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.

References (3)

[Release Notes, Third Party Advisory] https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6

[Release Notes, Third Party Advisory] https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1

[Patch, Release Notes, Third Party Advisory] https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg

Scores

CVSS v3 4.3

EPSS 0.0012

EPSS Percentile 31.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-345 CWE-346

Status published

Affected Products (11)

bigbluebutton/bigbluebutton < 2.4

bigbluebutton/bigbluebutton

Timeline

Published Dec 16, 2022

Tracked Since Feb 18, 2026