- Project: jitsi-meet-electron
- Summary: Multiple Remote Code Execution issues
- Severity: High
- Affected versions: All < 2.3.0
- Fixed date: 2020-07-01
- Fixed version: 2.3.0
- CVE: N/A
- Reported by: Juho Nurminen (Mattermost)
Multiple issues that could yield to Remote Code Execution (RCE) have been found:
- RCE via UNC paths: an atacker with a modified Jitsi Meet server could use the exposed
shellOpenExternalfunction to open a custom binary in the user's path. - RCE via lack of consent in remote control: an attacker could run a modified Jitsi Meet server to trigger a user into enabling remote control and thus execute remote commands.
- RCE via prototype pollution: an attacker with a modified Jitsi Meet server could use prototype pollution to bypass
checks in
shellOpenExternaland thus result in RCE.
- Restricted URLs which will be opened externally: https://github.com/jitsi/jitsi-meet-electron/commit/962470d97e8faefa5728ff4c324ce387cfd456e0
- The external API is now bundles so no remote code is executed on the user machine outside of the iframe: https://github.com/jitsi/jitsi-meet-electron/commit/c4aefb05b5404cfc9b7c0e25eb3bb638684beb48
- Remote Control has been disabled: https://github.com/jitsi/jitsi-meet-electron/commit/0b88a783f3f7658d7e04e8a868ffbb4b56b77c7b
Jitsi security advisories are posted in https://github.com/jitsi/security-advisories/tree/master/advisories