CVE-2023-29032: 
Java vulnerability analysis and mitigation

Apache OpenMeetings, a web conferencing application, was found to contain a critical vulnerability (CVE-2023-29032) affecting versions from 3.1.3 before 7.1.0. The vulnerability allows an attacker who has gained access to certain private information to impersonate other users, effectively bypassing authentication mechanisms (Apache Mailing List, Hacker News).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from an authentication bypass vulnerability related to invitation handling. The flaw occurs when an invitation exists without a room attached to it, which can lead to unrestricted access (NVD, Sonar Blog).

When successfully exploited, this vulnerability allows attackers to gain unrestricted access to user accounts, including admin accounts. This access enables attackers to make modifications to the OpenMeetings instance, including adding and removing users and groups, changing room settings, and terminating sessions of connected users (Sonar Blog).

The vulnerability was patched in Apache OpenMeetings version 7.1.0, released on May 9, 2023. The fix involves adjusting the setUser method to prevent derivation of permissions from the given user when the rights set is empty (Sonar Blog).