Multiple vulnerabilities in Zoom Rooms client for Windows
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-34120 CVE-2023-34121 |
| CWE-ID | CWE-269 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Zoom Rooms Client for Windows Client/Desktop applications / Office applications |
| Vendor | Zoom Video Communications, Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper privilege management
EUVDB-ID: #VU77159
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-34120
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management. A local user can utilize higher level system privileges maintained by the Zoom client to spawn processes with escalated privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoom Rooms Client for Windows: 5.0.0 1420.0426 - 5.13.10 2558
CPE2.3- cpe:2.3:a:zoom_video_communications:zoom_rooms_for_windows:5.0.0:1420.0426:*:*:*:*:*:*
- cpe:2.3:a:zoom_video_communications:zoom_rooms_for_windows:5.0.2:1459.0524:*:*:*:*:*:*
- cpe:2.3:a:zoom_video_communications:zoom_rooms_for_windows:5.0.4:1469.0529:*:*:*:*:*:*
https://explore.zoom.us/en/trust/security/security-bulletin/#ZSB-23012
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU77161
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-34121
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsZoom Rooms Client for Windows: 5.0.0 1420.0426 - 5.13.10 2558
CPE2.3- cpe:2.3:a:zoom_video_communications:zoom_rooms_for_windows:5.0.0:1420.0426:*:*:*:*:*:*
- cpe:2.3:a:zoom_video_communications:zoom_rooms_for_windows:5.0.2:1459.0524:*:*:*:*:*:*
- cpe:2.3:a:zoom_video_communications:zoom_rooms_for_windows:5.0.4:1469.0529:*:*:*:*:*:*
https://explore.zoom.us/en/trust/security/security-bulletin/#ZSB-23013
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
