Improperly constrained session cookies in Zoom Client for Meetings
CVE-2022-22785

5.9MEDIUM

Key Information:

Vendor: Zoom
Status: Zoom Client For Meetings For Android; Zoom Client For Meetings For iOS; Zoom Client For Meetings For Linux; Zoom Client For Meetings For Mac OS
Vendor: CVE Published:; 18 May 2022

What is CVE-2022-22785?

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

Affected Version(s)

Zoom Client for Meetings for Android < 5.10.0

Zoom Client for Meetings for iOS < 5.10.0

Zoom Client for Meetings for Linux < 5.10.0

References

https://explore.zoom.us/en/trust/security/security-bulletin

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2022
Vulnerability Reserved
Jan 7, 2022

Credit

Ivan Fratric of Google Project Zero