Impact
In the whiteboard we had a grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access was revoked. The attacker had to be a meeting participant.
Workarounds
No workaraounds
References
Patch in BigBlueButton 2.4.3 | #13853 | #13931
Patch in BigBlueButton 2.5-alpha-4 | #14575
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
In the whiteboard we had a grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access was revoked. The attacker had to be a meeting participant.
Workarounds
No workaraounds
References
Patch in BigBlueButton 2.4.3 | #13853 | #13931
Patch in BigBlueButton 2.5-alpha-4 | #14575
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.