CVE-2022-41960 MEDIUM

CVE-2022-41960: BigBlueButton contains DoS via failed authToken validation

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-345
Published December 15, 2022
Last update April 17, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.

Key dates

02Disclosure timeline

December 15, 2022 CVE published
April 17, 2025 Record updated