CVE-2021-39215

EUVD-2021-25592
Jitsi Meet is an open source video conferencing application. In versions prior to 2.0.5963, a Prosody module allows the use of symmetrical algorithms to validate JSON web tokens. This means that tokens generated by arbitrary sources can be used to gain authorization to protected rooms. This issue is fixed in Jitsi Meet 2.0.5963. There are no known workarounds aside from updating.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
8x8jitsi_meet
2.0.5963
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/jitsi/jitsi-meet/pull/9319
https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-45ff-37jm-xjfx
https://github.com/jitsi/jitsi-meet/pull/9319
https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-45ff-37jm-xjfx