Zoom addressed six flaws, including two high-severity issues that could allow remote attackers to escalate privileges or leak sensitive information.
Zoom addressed six vulnerabilities in its video conferencing and communication platform. Two of these vulnerabilities, tracked as CVE-2024-45421 and CVE-2024-45419, are high-severity issues that remote attackers could exploit to escalate privileges or leak sensitive information.
The vulnerability CVE-2024-45421 (CVSS score of 8.5) is a buffer overflow issue that an authenticated attacker could exploit.
“Buffer overflow in some Zoom Apps may allow an authenticated user to conduct an escalation of privilege via network access.” reads the advisory.
The vulnerability CVE-2024-45419 (CVSS score of 8.5) is an improper input validation issue that can be exploited remotely without authentication.
“Improper input validation in some Zoom Apps may allow an unauthenticated user to conduct a disclosure of information via network access.” continues the advisory.
Zoom Offensive Security reported both vulnerabilities, the vulnerabilities impact Zoom Workplace App, Rooms Client, Rooms Controller, Video SDK, and Meeting SDK prior to version 6.2.0 across desktop and mobile platforms, and Workplace VDI Client for Windows before version 6.1.12 (except 6.0.14).
The company also addressed four medium-severity issues, tracked as CVE-2024-45422, CVE-2024-45420, CVE-2024-45418, and CVE-2024-45417.
The vulnerability CVE-2024-45422 is an improper input validation issue in some Zoom Apps before version 6.2.0. An unauthenticated user can exploit the flaw to trigger a denial of service condition via network access.
The vulnerability CVE-2024-45420 is an uncontrolled resource consumption in some Zoom Apps before version 6.2.0. An authenticated user can exploit the flaw to trigger a denial of service condition via network access.
The vulnerability CVE-2024-45418 is a Symbolic Link Following issue in Zoom Apps for macOS.
“Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access.” reads the advisory.
The vulnerability CVE-2024-45417 is an Uncontrolled Resource Consumption in Zoom Apps for macOS.
“Uncontrolled resource consumption in the installer for some Zoom apps for macOS before version 6.1.5 may allow a privileged user to conduct a disclosure of information via local access.” reads the advisory,
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, video conferencing and communication platform)