CVE-2022-41960

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-41960

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41960.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-41960

Aliases

GHSA-rgjp-3r74-g4cm

Published

2022-12-15T23:56:26.500Z

Modified

2025-12-04T10:38:46.651784Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

BigBlueButton contains DoS via failed authToken validation

Details

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to validateAuthToken using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.

Database specific

{
    "cwe_ids": [
        "CWE-345"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41960.json"
}

References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type: GIT
Repo: https://github.com/bigbluebutton/bigbluebutton
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e7773468fb45d86200ae28bdf8c39f4ba487cf88

Affected versions

0.*

0.81-dev-deskshare-fixes-compatible-with-0.8

2.*

2.2-beta-10

2.2-beta-11

2.2-beta-12

2.2-beta-14

2.2-beta-15

2.2-beta-16

2.2-beta-17

2.2-beta-18

2.2-beta-19

2.2-beta-2

2.2-beta-20

2.2-beta-21

2.2-beta-22

2.2-beta-23

2.2-beta-3

2.2-beta-4

2.2-beta-5

2.2-beta-6

2.2-beta-7

2.2-beta-8

2.2-beta-9

2.2-rc-1

2.2-rc-2

2.2-rc-3

2.2-rc-4

2.2-rc-5

2.2-rc-6

2.4-rc-2

Other

dcs-2-a

pre-recording-merge

v0.*

v0.7

v0.71

v0.71a

v0.8

v0.81

v0.81b

v0.81rc

v0.81rc2

v0.81rc3

v0.81rc4

v0.81rc5

v0.8b4

v0.8b4.0

v0.8rc2

v0.9.0-beta

v0.9.1

v0.9.2

v1.*

v1.0.0

v1.1.0

v2.*

v2.0-rc2

v2.0-rc3

v2.0-rc4

v2.0-rc5

v2.0-rc6

v2.0-rc7

v2.0.x-html5-beta1

v2.2.0

v2.2.1

v2.2.10

v2.2.11-good

v2.2.12

v2.2.14

v2.2.15

v2.2.16

v2.2.17

v2.2.18

v2.2.19

v2.2.2

v2.2.20

v2.2.21

v2.2.22

v2.2.23

v2.2.24

v2.2.25

v2.2.26

v2.2.27

v2.2.28

v2.2.29

v2.2.3

v2.2.30

v2.2.31

v2.2.32

v2.2.33

v2.2.34

v2.2.35

v2.2.36

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3-alpha-1

v2.3-alpha-2

v2.3-alpha-3

v2.3-alpha-4

v2.3-alpha-5

v2.3-alpha-6

v2.3-alpha-7

v2.3-alpha-8

v2.3-beta-1

v2.3-beta-2

v2.3-beta-3

v2.3-beta-4

v2.3-beta-5

v2.3-rc-1

v2.3-rc-2

v2.3.0

v2.3.1

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4-alpha-1

v2.4-alpha-2

v2.4-beta-1

v2.4-beta-2

v2.4-beta-3

v2.4-beta-4

v2.4-rc-1

v2.4-rc-3

v2.4-rc-4

v2.4-rc-5

v2.4-rc-6

v2.4-rc-7

v2.4.0

v2.4.1

v2.4.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41960.json"