#VU77820 Cleartext transmission of sensitive information in Zoom Video Communications, Inc. products - CVE-2023-36539
Published: June 30, 2023
Vulnerability identifier: #VU77820
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-36539
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for macOS
Zoom Workplace Desktop App for Linux
Zoom Rooms Client for Windows
Zoom Rooms Client for macOS
Zoom Workplace App for iOS
Zoom Workplace App for Android
Zoom Meeting SDK for Windows
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for macOS
Zoom Workplace Desktop App for Linux
Zoom Rooms Client for Windows
Zoom Rooms Client for macOS
Zoom Workplace App for iOS
Zoom Workplace App for Android
Zoom Meeting SDK for Windows
Software vendor:
Zoom Video Communications, Inc.
Zoom Video Communications, Inc.
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software did not use a per-meeting key to encrypt messages sent between user devices and Zoom, including messages sent during End-to-End Encrypted (E2EE) meetings.A remote attacker with ability to intercept and decrypt TLS communication can gain access to sensitive information.
Remediation
Install updates from vendor's website.