#VU69235 Information disclosure in Zoom Video Communications, Inc. products - CVE-2022-28764
Published: November 11, 2022
Vulnerability identifier: #VU69235
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-28764
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for Linux
Zoom Workplace Desktop App for macOS
Zoom Workplace App for iOS
Zoom Workplace App for Android
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for Linux
Zoom Workplace Desktop App for macOS
Zoom Workplace App for iOS
Zoom Workplace App for Android
Software vendor:
Zoom Video Communications, Inc.
Zoom Video Communications, Inc.
Description
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the application does not clear data from the local SQL database after a meeting ends and also uses an insufficiently secure per-device key to encrypt meetings data. A local user can obtain meeting information such as in-meeting chat for the previous meeting attended from that local user account.
Remediation
Install updates from vendor's website.