Impact
If able to obtain the meeting identifier for a meeting on a server, the attacker can find information related to an external video being shared, like the current timestamp and play/pause.
Patches
The problem has been patched in the currently maintained versions of BigBlueButton 2.3 and 2.4 by modifying the stream to send the data only for users in the meeting.
Patched in 2.4-rc-6 and higher.
Patched in 2.3.18 and higher.
Workarounds
No workaround.
References
Patch for BigBlueButton 2.4-rc-6 #13788
Patch for BigBlueButton 2.3.18 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
If able to obtain the meeting identifier for a meeting on a server, the attacker can find information related to an external video being shared, like the current timestamp and play/pause.
Patches
The problem has been patched in the currently maintained versions of BigBlueButton 2.3 and 2.4 by modifying the stream to send the data only for users in the meeting.
Patched in 2.4-rc-6 and higher.
Patched in 2.3.18 and higher.
Workarounds
No workaround.
References
Patch for BigBlueButton 2.4-rc-6 #13788
Patch for BigBlueButton 2.3.18 #14265
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.