Vulnerabilities Details

  • Home
  • Vulnerabilities Details

ZMC-2022.17.08.1000

Zoom Client for Meetings for macOS: CVSS (Max): 8.8

Operating System:

[WIN][UNIX/LINUX]

Published:

17th August 2022

VulnerabilitiesZMC-2022.17.08.1000 


=========================================================================== 
                         ZMCIRT Vulnerability Bulletin

                             ZMC-2022.17.08.1000
            Zoom Client for Meetings for macOS: CVSS (Max): 8.8
                               17th August 2022

===========================================================================
Product:           Zoom Client for Meetings for macOS
Publisher:         Zoom
Operating System:  macOS
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-28756  

Original Bulletin: 
   https://explore.zoom.us/en/trust/security/security-bulletin/?filter-cve=&filter=&keywords=ZSB-22018+

Comment: CVSS (Max):  8.8 CVE-2022-28756 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
         CVSS Source: Zoom
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

ZSB-22018 - Local Privilege Escalation in Auto Updater for Zoom Client for Meetings for macOS 

Published: 08/13/2022

CVE: CVE-2022-28756

Severity : High

CVSS Score : 8.8

CVSS Vector String : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description : The Zoom Client for Meetings for macOS (Standard and for IT
Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability
in the auto update process. A local low-privileged user could exploit this
vulnerability to escalate their privileges to root.

Users can help keep themselves secure by applying current updates or
downloading the latest Zoom software with all current security updates from
https://zoom.us/download.

Affected Products :

  o Zoom Client for Meetings for macOS (Standard and for IT Admin) starting
    version 5.7.3 and before version 5.11.5

Source : Reported by Patrick Wardle of Objective-See

---------------------------END INCLUDED TEXT--------------------


ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: report@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================

Copyright @2023 ZAMBIA CIRT