Impact
An attacker could send messages to a locked chat within a grace period of 5s after any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting.
Patches
Patched on BigBlueButton 2.3.18 and higher.
Patched on BigBlueButton 2.4.1 and higher.
Workarounds
No workaround.
References
Patched on BigBlueButton 2.4 #13850
Patched on BigBlueButton 2.3 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
An attacker could send messages to a locked chat within a grace period of 5s after any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting.
Patches
Patched on BigBlueButton 2.3.18 and higher.
Patched on BigBlueButton 2.4.1 and higher.
Workarounds
No workaround.
References
Patched on BigBlueButton 2.4 #13850
Patched on BigBlueButton 2.3 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.