Overview
- Project: jitsi-meet
- Summary: Incorrect Default Permissions
- Severity: Medium
- Affected versions: All < 2.0.5963-1
- Fixed date: 2021-06-10
- Fixed version: 2.0.5963-1
- CVE: CVE-2021-33506
- Reported by: Simone Quatrini (SureCloud)
Description
The permission configuration of a jitsi-meet server configured with the default package configuration can allow an attacker to circumvent conference moderation.
Resolution
The default prosody configuration for conferences has been modified to include restrict_room_creation = true
Jitsi security advisories are posted in https://github.com/jitsi/security-advisories/tree/master/advisories