1. Home
  2. CVE Database
  3. CVE-2022-41961
MEDIUM · 4.3

CVE-2022-41961

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of t...

Vulnerability Description

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
BigbluebuttonBigbluebutton< 2.4

Related Weaknesses (CWE)

CWE-346CWE-345

References

FAQ

What is CVE-2022-41961?

CVE-2022-41961 is a vulnerability with a CVSS score of 4.3 (MEDIUM). BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of t...

How severe is CVE-2022-41961?

CVE-2022-41961 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-41961?

Check the references section above for vendor advisories and patch information. Affected products include: Bigbluebutton Bigbluebutton.