SB2023010413 - Multiple vulnerabilities in BigBlueButton

Description

This security bulletin contains information about 3 vulnerabilities.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2022-41961)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient verification of data authenticity. A remote user can register multiple users and join the meeting with one of them.

2) Incorrect authorization (CVE-ID: CVE-2022-41962)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to improper access control for setting emoji status. A remote administrator can use the feature of clear status to set any emoji status for other users.

3) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2022-23488)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper enforcement of moderator-only webcams setting. A remote user can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1
• https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
• https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg
• https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7
• https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq