CVE-2021-30480

Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat software, which is different from the chat feature of the Zoom Meetings and Zoom Video Webinars software.

CVSS v3 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer/	Third Party Advisory
https://explore.zoom.us/en/trust/security/security-bulletin/	Vendor Advisory
https://sector7.computest.nl/post/2021-08-zoom/	Exploit Third Party Advisory
https://twitter.com/thezdi/status/1379855435730149378	Third Party Advisory
https://twitter.com/thezdi/status/1379859851061395459	Third Party Advisory
https://www.securityweek.com/200000-awarded-zero-click-zoom-exploit-pwn2own	Press/Media Coverage Third Party Advisory
https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/	Press/Media Coverage Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-971/	Third Party Advisory VDB Entry
https://zoom.us/feature/messaging	Product Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

cpe:2.3:a:zoom:chat:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-04-09 23:15

Updated : 2021-09-21 17:46

NVD link : CVE-2021-30480

Mitre link : CVE-2021-30480

CVE.ORG link : CVE-2021-30480

JSON object : View

Products Affected

microsoft

windows

apple

macos

zoom

chat

CWE

NVD-CWE-noinfo

{"id": "CVE-2021-30480", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2021-04-09T23:15:12.957", "references": [{"url": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://explore.zoom.us/en/trust/security/security-bulletin/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://sector7.computest.nl/post/2021-08-zoom/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/thezdi/status/1379855435730149378", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/thezdi/status/1379859851061395459", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.securityweek.com/200000-awarded-zero-click-zoom-exploit-pwn2own", "tags": ["Press/Media Coverage", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/", "tags": ["Press/Media Coverage", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-971/", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://zoom.us/feature/messaging", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat software, which is different from the chat feature of the Zoom Meetings and Zoom Video Webinars software."}, {"lang": "es", "value": "Zoom Chat versi\u00f3n hasta el 09-04-2021 en Windows y macOS, permite a determinados atacantes autenticados remotamente ejecutar c\u00f3digo arbitrario sin la interacci\u00f3n del usuario. Un atacante debe pertenecer a la misma organizaci\u00f3n o una parte externa que haya sido aceptada como contacto. NOTA: esto es espec\u00edfico del software Zoom Chat, que es diferente de la funcionalidad de chat del software Zoom Meetings y Zoom Video Webinars"}], "lastModified": "2021-09-21T17:46:11.590", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zoom:chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "319ECBD3-CE8D-461B-A0C8-B1586E8F9B29", "versionEndIncluding": "2021-04-09"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}