CVE-2023-22880

Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, transmitted text to Microsoft’s online Spellcheck service instead of the local Windows Spellcheck. Updating Zoom remediates this vulnerability by disabling the feature. Updating Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom remediates this vulnerability by updating Microsoft’s telemetry behavior.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://explore.zoom.us/en/trust/security/security-bulletin/	Vendor Advisory
https://explore.zoom.us/en/trust/security/security-bulletin/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zoom:rooms::::::windows::*
	cpe:2.3:a:zoom:virtual_desktop_infrastructure::::::windows::*
	cpe:2.3:a:zoom:zoom::::::windows::*

History

21 Nov 2024, 07:45

Type	Values Removed	Values Added
References	~~() https://explore.zoom.us/en/trust/security/security-bulletin/ - Vendor Advisory~~	() https://explore.zoom.us/en/trust/security/security-bulletin/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 6.8

Information

Published : 2023-03-16 21:15

Updated : 2024-11-21 07:45

NVD link : CVE-2023-22880

Mitre link : CVE-2023-22880

CVE.ORG link : CVE-2023-22880

JSON object : View

Products Affected

zoom

zoom
rooms
virtual_desktop_infrastructure

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2023-22880", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@zoom.us", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-03-16T21:15:12.893", "references": [{"url": "https://explore.zoom.us/en/trust/security/security-bulletin/", "tags": ["Vendor Advisory"], "source": "security@zoom.us"}, {"url": "https://explore.zoom.us/en/trust/security/security-bulletin/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@zoom.us", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, transmitted text to Microsoft\u2019s online Spellcheck service instead of the local Windows Spellcheck. Updating Zoom remediates this vulnerability by disabling the feature. Updating Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom remediates this vulnerability by updating Microsoft\u2019s telemetry behavior."}], "lastModified": "2024-11-21T07:45:34.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zoom:rooms:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "4D678B4D-3E7B-4130-98C8-4776FB746AFB", "versionEndExcluding": "5.13.3"}, {"criteria": "cpe:2.3:a:zoom:virtual_desktop_infrastructure:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "E0A18B3A-9C99-4865-A353-47343CF7E6A7", "versionEndExcluding": "5.13.1"}, {"criteria": "cpe:2.3:a:zoom:zoom:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "4603F137-E9B9-4F66-8431-8ABDF1DBFE0C", "versionEndExcluding": "5.13.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@zoom.us"}