CVE-2023-22880

Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, transmitted text to Microsoft’s online Spellcheck service instead of the local Windows Spellcheck. Updating Zoom remediates this vulnerability by disabling the feature. Updating Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom remediates this vulnerability by updating Microsoft’s telemetry behavior.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://explore.zoom.us/en/trust/security/security-bulletin/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zoom:rooms::::::windows::*
	cpe:2.3:a:zoom:virtual_desktop_infrastructure::::::windows::*
	cpe:2.3:a:zoom:zoom::::::windows::*

History

27 Mar 2023, 03:24

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:zoom:zoom::::::windows::* cpe:2.3:a:zoom:rooms::::::windows::* cpe:2.3:a:zoom:virtual_desktop_infrastructure::::::windows::*
References	~~(MISC) https://explore.zoom.us/en/trust/security/security-bulletin/ -~~	(MISC) https://explore.zoom.us/en/trust/security/security-bulletin/ - Vendor Advisory
First Time		Zoom rooms Zoom virtual Desktop Infrastructure Zoom Zoom zoom

16 Mar 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-03-16 21:15

Updated : 2023-12-10 14:48

NVD link : CVE-2023-22880

Mitre link : CVE-2023-22880

CVE.ORG link : CVE-2023-22880

JSON object : View

Products Affected

zoom

virtual_desktop_infrastructure
zoom
rooms

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-22880", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@zoom.us", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}]}, "published": "2023-03-16T21:15:12.893", "references": [{"url": "https://explore.zoom.us/en/trust/security/security-bulletin/", "tags": ["Vendor Advisory"], "source": "security@zoom.us"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@zoom.us", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, transmitted text to Microsoft\u2019s online Spellcheck service instead of the local Windows Spellcheck. Updating Zoom remediates this vulnerability by disabling the feature. Updating Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom remediates this vulnerability by updating Microsoft\u2019s telemetry behavior."}], "lastModified": "2023-03-27T03:24:44.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zoom:rooms:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "4D678B4D-3E7B-4130-98C8-4776FB746AFB", "versionEndExcluding": "5.13.3"}, {"criteria": "cpe:2.3:a:zoom:virtual_desktop_infrastructure:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "E0A18B3A-9C99-4865-A353-47343CF7E6A7", "versionEndExcluding": "5.13.1"}, {"criteria": "cpe:2.3:a:zoom:zoom:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "4603F137-E9B9-4F66-8431-8ABDF1DBFE0C", "versionEndExcluding": "5.13.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@zoom.us"}