← Volver a CVEs
CVE-2022-41960
MEDIUM4.3
Descripcion
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.
Detalles CVE
Puntuacion CVSS v3.14.3
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado12/16/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
bigbluebutton:bigbluebutton
Debilidades (CWE)
CWE-345
Referencias
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3(security-advisories@github.com)
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1(security-advisories@github.com)
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm(security-advisories@github.com)
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.