SB2021032221 - Information disclosure in Zoom client
Published: March 22, 2021 Updated: May 24, 2022
Security Bulletin ID
SB2021032221
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2021-28133)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists within the screen lock functionality due to the way the Zoom client for Windows and Linux handles screen sharing. When a user shares a specific application window via the Share Screen
functionality, other meeting participants can briefly see contents of
other application windows that were explicitly not shared.
Remediation
Install update from vendor's website.
References
- http://seclists.org/fulldisclosure/2021/Mar/48
- https://thehackernews.com/2021/03/new-zoom-screen-sharing-bug-lets-other.html
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-044.txt
- https://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen-sharing-funktionalitaet-von-zoom-cve-2021-28133
- https://www.youtube.com/watch?v=SonmmgQlLzg
- https://zoom.us/trust/security/security-bulletin