#VU69235 Information disclosure in Zoom Video Communications, Inc. products - CVE-2022-28764
Vulnerability identifier: #VU69235
Vulnerability risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Zoom Workplace Desktop App for Windows
Client/Desktop applications /
Office applications
Zoom Workplace Desktop App for Linux
Client/Desktop applications /
Office applications
Zoom Workplace Desktop App for macOS
Client/Desktop applications /
Office applications
Zoom Workplace App for iOS
Mobile applications /
Apps for mobile phones
Zoom Workplace App for Android
Mobile applications /
Apps for mobile phones
Vendor: Zoom Video Communications, Inc.
Description
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the application does not clear data from the local SQL database after a meeting ends and also uses an insufficiently secure per-device key to encrypt meetings data. A local user can obtain meeting information such as in-meeting chat for the previous meeting attended from that local user account.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Zoom Workplace Desktop App for Windows: 5.0.0 23168.0427 - 5.12.3 9638
Zoom Workplace App for iOS: 5.0.0 23161.0427 - 5.12.2 4920
Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 5.12.2 4816
Zoom Workplace Desktop App for macOS: 5.0.0 23186.0427 - 5.12.3 11845
Zoom Workplace App for Android: 5.0.1 23478.0429 - 5.12.2 9059
External links
https://explore.zoom.us/en/trust/security/security-bulletin/#ZSB-22025
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
