Impact
In BigBlueButton before 2.3.18, an attacker could circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks relied on knowledge of internal ids rather than on verification of the role of the user.
Patches
Patched on BigBlueButton 2.4-rc-1 and higher.
Patched on BigBlueButton 2.3.18 and higher.
Workarounds
No workaround.
References
Patched on BigBlueButton 2.4 #13117
Patched on BigBlueButton 2.3 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
In BigBlueButton before 2.3.18, an attacker could circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks relied on knowledge of internal ids rather than on verification of the role of the user.
Patches
Patched on BigBlueButton 2.4-rc-1 and higher.
Patched on BigBlueButton 2.3.18 and higher.
Workarounds
No workaround.
References
Patched on BigBlueButton 2.4 #13117
Patched on BigBlueButton 2.3 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.