Cleartext transmission of sensitive information in Zoom Video Communications, Inc. products - CVE-2023-36539

 

Cleartext transmission of sensitive information in Zoom Video Communications, Inc. products - CVE-2023-36539

Published: June 30, 2023


Vulnerability identifier: #VU77820
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-36539
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Zoom Video Communications, Inc.
Affected software:
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for macOS
Zoom Workplace Desktop App for Linux
Zoom Rooms Client for Windows
Zoom Rooms Client for macOS
Zoom Workplace App for iOS
Zoom Workplace App for Android
Zoom Meeting SDK for Windows

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software did not use a per-meeting key to encrypt messages sent between user devices and Zoom, including messages sent during End-to-End Encrypted (E2EE) meetings.A remote attacker with ability to intercept and decrypt TLS communication can gain access to sensitive information.


How to mitigate CVE-2023-36539

Install updates from vendor's website.

Sources