#VU63590 Reliance on Untrusted Inputs in a Security Decision in Zoom Workplace Desktop App for Windows and Zoom Rooms for Windows - CVE-2022-22786

Cybersecurity Help s.r.o.

Published: 2022-05-24

Vulnerability identifier: #VU63590

Vulnerability risk: Low

CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-22786

CWE-ID: CWE-807

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Zoom Workplace Desktop App for Windows
Client/Desktop applications / Office applications
Zoom Rooms for Windows
Client/Desktop applications / Office applications

Vendor: Zoom Video Communications, Inc.

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to improper checking of the currently installed software version when performing software update. A remote attacker can trick the victim into installing an older software version.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 5.0.0 23168.0427 - 5.5.4 13142.0301

Zoom Rooms for Windows: 5.0.0 1420.0426 - 5.9.4 990

External links
https://explore.zoom.us/en/trust/security/security-bulletin/#ZSB-22008

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Zoom Client