Skip to content

Grace period for lock settings in public/private chats

Low
antobinary published GHSA-36vc-c338-6xjv Jun 1, 2022

Package

No package listed

Affected versions

2.2, <2.3.18, <2.4.1

Patched versions

2.3.18, 2.4.1

Description

Impact

An attacker could send messages to a locked chat within a grace period of 5s after any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting.

Patches

Patched on BigBlueButton 2.3.18 and higher.
Patched on BigBlueButton 2.4.1 and higher.

Workarounds

No workaround.

References

Patched on BigBlueButton 2.4 #13850
Patched on BigBlueButton 2.3 #14265

For more information

If you have any questions or comments about this advisory:

Credits

We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

Low

CVE ID

CVE-2022-29234

Weaknesses

No CWEs