CVE-2022-41961

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.4-rc-6

Description The issue concerns ineffective user bans in BigBlueButton, an open source web conferencing system. An attacker could register multiple users and join a meeting with one of them. If that user is banned, they could still join the meeting with the remaining registered users from the same extId. This is resolved by improving permissions so that banning a user removes all related users, including those who have not joined the meeting.

Recommendations For versions prior to 2.4-rc-6, update to version 2.4-rc-6 or 2.5-alpha-1 to fix the issue. As a temporary workaround, consider manually removing all users related to the extId of a banned user to prevent them from joining the meeting. Restrict access to the meeting for users with the same extId as a banned user until the update is applied.