Improper access control in BigBlueButton - CVE-2022-29236
Published: June 2, 2022 / Updated: May 14, 2026
Vulnerability identifier: #VU131447
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29236
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Blindside Networks
Affected software:
BigBlueButton
BigBlueButton
Detailed vulnerability description
The vulnerability allows a remote user to circumvent access restrictions for drawing on the whiteboard.
The vulnerability exists due to improper access control in the whiteboard pencil annotation permission check on the server when handling pencil annotation actions. A remote user can send unauthorized annotation actions to circumvent access restrictions for drawing on the whiteboard.
The attacker must be a meeting participant.
How to mitigate CVE-2022-29236
Install security update from vendor's website.