Impact
The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users.
Workarounds
No Workarounds.
References
We improved permissions such that banning a user removes all users related to their extId, including registred users that have not joined the meeting.
Patch in BigBlueButton 2.4-rc-6 | #13766
Patch in BigBlueButton 2.5-alpha-1 | #13262
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users.
Workarounds
No Workarounds.
References
We improved permissions such that banning a user removes all users related to their extId, including registred users that have not joined the meeting.
Patch in BigBlueButton 2.4-rc-6 | #13766
Patch in BigBlueButton 2.5-alpha-1 | #13262
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.