CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-33530

Medium Severity
SVRS
30/100
CVSSv3
7.5/10
EPSS
0.0011/1

CVE-2024-33530: Password disclosure in Jitsi Meet before version 9391. This vulnerability exposes the password of password-protected Jitsi meetings when users invited after waiting in the lobby receive an invitation. While the CVSS score is 7.5, SOCRadar's Vulnerability Risk Score (SVRS) indicates a score of 30, suggesting a lower immediate risk compared to critical vulnerabilities, but still requires monitoring. The vulnerability is due to a logic flaw related to lobby management and invitation handling, classified as CWE-640. Successful exploitation allows unauthorized access to otherwise protected meetings. Although tagged "In The Wild," the moderate SVRS score suggests limited active exploitation currently. Organizations using Jitsi Meet should prioritize updating to the latest version to mitigate this security risk. The disclosure of passwords undermines the security of private meetings.

TAGS
In The Wild
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:U
C:H
I:N
A:N
PUBLICATION DATE2025-04-09
LAST MODIFIED2024-05-02
Eye Icon
SOCRadar
AI Insight

Description:

CVE-2024-33530 is a logic flaw in password-protected Jitsi Meet meetings that allows the disclosure of the meeting password to users invited to a call after waiting in the lobby. This vulnerability has a low CVSS score of 0, but its SVRS of 30 indicates a moderate level of risk.

Key Insights:

  • Password Disclosure: This vulnerability allows attackers to obtain the password for password-protected Jitsi Meet meetings, potentially granting them access to sensitive information or disrupting ongoing meetings.
  • Lobby Bypass: The flaw is triggered when a user is invited to a meeting after waiting in the lobby, bypassing the intended password protection mechanism.
  • Active Exploitation: This vulnerability is actively exploited in the wild, making it a high-priority threat for organizations using Jitsi Meet.

Mitigation Strategies:

  • Update Jitsi Meet: Install the latest version of Jitsi Meet (9391 or later) to patch the vulnerability.
  • Disable Lobby: Consider disabling the lobby feature for password-protected meetings to prevent the exploitation of this vulnerability.
  • Use Strong Passwords: Encourage users to use strong and unique passwords for Jitsi Meet meetings to minimize the impact of password disclosure.
  • Monitor for Suspicious Activity: Regularly monitor Jitsi Meet logs and network traffic for any suspicious activity that may indicate exploitation attempts.

Additional Information:

  • Threat Actors/APT Groups: No specific threat actors or APT groups have been identified as actively exploiting this vulnerability.
  • Exploit Status: Active exploits have been published for this vulnerability.
  • CISA Warnings: The Cybersecurity and Infrastructure Security Agency (CISA) has not issued a warning for this vulnerability.

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-33530 | Jitsi Meet up to 9390 Password-protected Meetings information disclosure
vuldb.com2024-05-02
CVE-2024-33530 | Jitsi Meet up to 9390 Password-protected Meetings information disclosure | A vulnerability has been found in Jitsi Meet up to 9390 and classified as problematic. This vulnerability affects unknown code of the component Password-protected Meetings. The manipulation leads to information disclosure. This vulnerability was named CVE-2024-33530. The attack can only be initiated within the local network. There is
cve-2024-33530
domains
urls
cves

Social Media

CVE-2024-33530: Jitsi Meet Flaw Leaks Meeting Passwords, Exposing Calls to Intruders https://t.co/dElTemt96m
0
0
0
CVE-2024-33530: Jitsi Meet Flaw Leaks Meeting Passwords, Exposing Calls to Intruders https://t.co/CnqD8oQ2oX
0
0
0
CVE-2024-33530 In Jitsi Meet before 9391, a logic flaw in password-protected Jitsi meetings (that make use of a lobby) leads to the disclosure of the meeting password when a user is… https://t.co/ZA9rUgmBj0
0
0
0
『This logic flaw leads to the disclosure of the meeting password when a user is invited to the call after waiting in the lobby.』 CVE-2024-33530 Vulnerability in Jitsi Meet: Meeting Password Disclosure affecting Meetings with Lobbies https://t.co/L3CDuEUXOy iocs: https://insinuator.net/2024/05/vulnerability-in-jitsi-meet-meeting-password-disclosure-affecting-meetings-with-lobbies/
0
0
0
『This logic flaw leads to the disclosure of the meeting password when a user is invited to the call after waiting in the lobby.』 CVE-2024-33530 Vulnerability in Jitsi Meet: Meeting Password Disclosure affecting Meetings with Lobbies https://t.co/L3CDuEUXOy
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://insinuator.net/2024/05/vulnerability-in-jitsi-meet-meeting-password-disclosure-affecting-meetings-with-lobbies/
AF854A3A-2127-422B-91AE-364DA2661108https://insinuator.net/2024/05/vulnerability-in-jitsi-meet-meeting-password-disclosure-affecting-meetings-with-lobbies/
[email protected]https://insinuator.net/2024/05/vulnerability-in-jitsi-meet-meeting-password-disclosure-affecting-meetings-with-lobbies/
GITHUBhttps://insinuator.net/2024/05/vulnerability-in-jitsi-meet-meeting-password-disclosure-affecting-meetings-with-lobbies/

CWE Details

CWE IDCWE NameDescription
CWE-640Weak Password Recovery Mechanism for Forgotten PasswordThe software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence