CVE-2022-41960

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.4.3

Description The issue is related to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to validateAuthToken using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server.

Recommendations For versions prior to 2.4.3, update to version 2.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the validateAuthToken function until the update is applied. Additionally, restrict the ability for participants to make Meteor calls with invalid authToken to minimize the risk of exploitation.