CVE-2022-41960 Vulnerability Details

  /     /     /  

CVE-2022-41960 Metadata Quick Info

CVE Published: 15/12/2022 | CVE Updated: 03/08/2024 | CVE Year: 2022
Source: GitHub_M | Vendor: bigbluebutton | Product: bigbluebutton
Status : PUBLISHED

CVE-2022-41960 Description

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim\'s userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim\'s client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.

Metrics

CVSS Version: 3.1 | Base Score: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* NONE
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-345
CWE Name: CWE-345: Insufficient Verification of Data Authenticity
Source: bigbluebutton

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).