=========================================================================== ZMCIRT Vulnerability Bulletin ZMC-2022.17.08.1000 Zoom Client for Meetings for macOS: CVSS (Max): 8.8 17th August 2022 =========================================================================== Product: Zoom Client for Meetings for macOS Publisher: Zoom Operating System: macOS Resolution: Patch/Upgrade CVE Names: CVE-2022-28756 Original Bulletin: https://explore.zoom.us/en/trust/security/security-bulletin/?filter-cve=&filter=&keywords=ZSB-22018+ Comment: CVSS (Max): 8.8 CVE-2022-28756 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: Zoom Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ZSB-22018 - Local Privilege Escalation in Auto Updater for Zoom Client for Meetings for macOS Published: 08/13/2022 CVE: CVE-2022-28756 Severity : High CVSS Score : 8.8 CVSS Vector String : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Description : The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download. Affected Products : o Zoom Client for Meetings for macOS (Standard and for IT Admin) starting version 5.7.3 and before version 5.11.5 Source : Reported by Patrick Wardle of Objective-See ---------------------------END INCLUDED TEXT-------------------- ZMCIRT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. ZMCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Internet Email: report@cirt.zm Telephone: 7070 ZMCIRT personnel answer during Zambian business hours which are 8am to 5pm. On call after hours for member emergencies only. ===========================================================================
Copyright @2023 ZAMBIA CIRT