#VU70686 Insufficient verification of data authenticity in BigBlueButton - CVE-2022-41961

Cybersecurity Help s.r.o.

Published: 2023-01-04

Vulnerability identifier: #VU70686

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-41961

CWE-ID: CWE-345

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BigBlueButton
Web applications / Modules and components for CMS

Vendor: Blindside Networks

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient verification of data authenticity. A remote user can register multiple users and join the meeting with one of them.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

BigBlueButton: before 2.4

External links
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in BigBlueButton