Remote Command Injection Vulnerability in Zoom On-Premise Connectors
CVE-2021-34416

9.8CRITICAL

Key Information:

Vendor
Zoom
Status
Zoom On-premise Meeting Connector Controller, Zoom On-premise Meeting Connector Mmr, Zoom On-premise Recording Connector, Zoom On-premise Virtual Room Connector, Zoom On-premise Virtual Room Connector Load Balancer
Vendor
CVE Published:
27 September 2021

Summary

The administrative web portal for Zoom's on-premise connectors contains a vulnerability that allows for unauthorized command execution on the server. Specifically, it fails to properly validate the input when updating network configuration settings. This flaw can be exploited by an attacker with web portal administrative access, potentially leading to significant compromises of the on-premise image. Users are advised to update to the latest versions to mitigate these risks.

Affected Version(s)

Zoom On-Premise Meeting Connector Controller, Zoom On-Premise Meeting Connector MMR, Zoom On-Premise Recording Connector, Zoom On-Premise Virtual Room Connector, Zoom On-Premise Virtual Room Connector Load Balancer Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326, Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326

References

https://explore.zoom.us/en/trust/security/security-bulletin/
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-34416 : Remote Command Injection Vulnerability in Zoom On-Premise Connectors | SecurityVulnerability.io