Cve-2022-36736

Note that a CVE number was assigned to jitsi-meet this morning without it going through a normal notification and validation process. We have contacted the security researcher to encourage them to follow the responsible disclosure procedures recommended by NIST and MITRE in the future.

We have conducted a preliminary evaluation and suspect it’s “working as intended”. There also appears to be some confusion on the part of the researcher about what would be a vulnerability against the jitsi-meet codebase vs. an issue with the configuration of the meet.jit.si offering, which has been further muddled by their apparent assumption that jitsi. com is in scope and under our control (it isn’t).

Mentioning this here because it hit twitter via MITRE’s @CVEnew account, which has led to a couple of questions. We’ll make updates if we find a real underlying issue and issue a security advisory accordingly.

3 Likes