CVE-2022-41961

MEDIUM

BigBlueButton < 2.4-rc-6 - Ineffective User Ban Enforcement via Shared extId

Title source: llm
STIX 2.1

Description

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.

References (3)

Core 3
Core References
Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1

Scores

CVSS v3 4.3
EPSS 0.0028
EPSS Percentile 19.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-345 CWE-346
Status published
Products (2)
bigbluebutton/bigbluebutton 2.4 alpha1 (10 CPE variants)
bigbluebutton/bigbluebutton < 2.4
Published Dec 16, 2022
Tracked Since Feb 18, 2026