Update package downgrade in Zoom Client for Meetings for Windows
CVE-2022-22786

7.5HIGH

Key Information:

Vendor: Zoom
Status: Zoom Client For Meetings For Windows; Zoom Rooms For Conference Room For Windows
Vendor: CVE Published:; 18 May 2022

What is CVE-2022-22786?

The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

Affected Version(s)

Zoom Client for Meetings for Windows < 5.10.0

Zoom Rooms for Conference Room for Windows < 5.10.0

References

https://explore.zoom.us/en/trust/security/security-bulletin

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2022
Vulnerability Reserved
Jan 7, 2022

Credit

Ivan Fratric of Google Project Zero