DLL injection in Zoom Opener installer for Zoom and Zoom Rooms clients
CVE-2022-22788

7.1HIGH

Key Information:

Vendor: Zoom
Status: Zoom Client For Meetings; All Zoom Rooms For Conference Room For Windows
Vendor: CVE Published:; 15 June 2022

Summary

The Zoom Opener installer is downloaded by a user from the Launch meeting page, when attempting to join a meeting without having the Zoom Meeting Client installed. The Zoom Opener installer for Zoom Client for Meetings before version 5.10.3 and Zoom Rooms for Conference Room for Windows before version 5.10.3 are susceptible to a DLL injection attack. This vulnerability could be used to run arbitrary code on the victims host.

Affected Version(s)

All Zoom Rooms for Conference Room for Windows < 5.10.3

Zoom Client for Meetings < 5.10.3

References

https://explore.zoom.us/en/trust/security/security-bulletin/

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 15, 2022
Vulnerability Reserved
Jan 7, 2022

Credit

Reported by James Tsz Ko Yeung