CVE-2022-41960 - OpenCVE

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bigbluebutton	Bigbluebutton

Configuration 1 [-]

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-15T23:56:26.500Z

Updated: 2024-08-03T12:56:38.614Z

Reserved: 2022-09-30T16:38:28.947Z

Link: CVE-2022-41960

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-12-16T00:15:13.530

Modified: 2022-12-20T19:07:33.083

Link: CVE-2022-41960

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41960", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-09-30T16:38:28.947Z", "datePublished": "2022-12-15T23:56:26.500Z", "dateUpdated": "2024-08-03T12:56:38.614Z"}, "containers": {"cna": {"title": "BigBlueButton contains DoS via failed authToken validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1", "tags": ["x_refsource_MISC"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"version": "< 2.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-15T23:56:26.500Z"}, "descriptions": [{"lang": "en", "value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds."}], "source": {"advisory": "GHSA-rgjp-3r74-g4cm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.614Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"}, {"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*", "matchCriteriaId": "56A77DE5-1BFB-4B62-8C14-A2347B85F844", "versionEndExcluding": "2.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds."}, {"lang": "es", "value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a la 2.4.3 est\u00e1n sujetas a una verificaci\u00f3n insuficiente de la autenticidad de los datos, lo que resulta en una Denegaci\u00f3n de Servicio (DoS). Un atacante puede realizar una llamada Meteor a \"validateAuthToken\" utilizando el ID de usuario, el ID de reuni\u00f3n y un token de autenticaci\u00f3n no v\u00e1lido de la v\u00edctima. Esto obliga a la v\u00edctima a abandonar la conferencia, porque el cliente de la v\u00edctima tambi\u00e9n observa y maneja el error de verificaci\u00f3n resultante. El atacante debe participar en cualquier reuni\u00f3n en el servidor. Este problema se solucion\u00f3 en la versi\u00f3n 2.4.3. No hay workaround."}], "id": "CVE-2022-41960", "lastModified": "2022-12-20T19:07:33.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-16T00:15:13.530", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}