CVE-2021-33907

The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://explore.zoom.us/en/trust/security/security-bulletin/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zoom:meetings:*:*:*:*:*:windows:*:*

History

No history.

Information

Published : 2021-09-27 14:15

Updated : 2021-10-06 19:01

NVD link : CVE-2021-33907

Mitre link : CVE-2021-33907

CVE.ORG link : CVE-2021-33907

JSON object : View

Products Affected

zoom

meetings

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2021-33907", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-09-27T14:15:08.027", "references": [{"url": "https://explore.zoom.us/en/trust/security/security-bulletin/", "tags": ["Vendor Advisory"], "source": "security@zoom.us"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context."}, {"lang": "es", "value": "Zoom Client for Meetings para Windows en todas las versiones anteriores a 5.3.0, no comprueba correctamente la informaci\u00f3n del certificado usada para firmar los archivos .msi cuando se lleva a cabo una actualizaci\u00f3n del cliente. Esto podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo remota en un contexto con privilegios elevados"}], "lastModified": "2021-10-06T19:01:09.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zoom:meetings:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "47D1059A-DCEF-4068-8C98-87B3F7729A6C", "versionEndExcluding": "5.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@zoom.us"}

9.8 /10