CVE-2024-24697 - OpenCVE

Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zoom	Meeting Software Development Kit Rooms Vdi Windows Meeting Clients Zoom

Configuration 1 [-]

OR	cpe:2.3:a:zoom:meeting_software_development_kit::::::windows::*
	cpe:2.3:a:zoom:rooms::::::::
	cpe:2.3:a:zoom:vdi_windows_meeting_clients::::::windows::*
	cpe:2.3:a:zoom:vdi_windows_meeting_clients::::::windows::*
	cpe:2.3:a:zoom:vdi_windows_meeting_clients::::::windows::*
	cpe:2.3:a:zoom:zoom::::::windows::*

No data.

References

Link	Providers
https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/

History

Wed, 09 Oct 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zoom meeting Software Development Kit
CPEs	cpe:2.3:a:zoom:meeting_sdk::::::::	cpe:2.3:a:zoom:meeting_software_development_kit::::::windows::*
Vendors & Products	Zoom meeting Sdk	Zoom meeting Software Development Kit

Fri, 04 Oct 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zoom Zoom meeting Sdk Zoom rooms Zoom vdi Windows Meeting Clients Zoom zoom
CPEs		cpe:2.3:a:zoom:meeting_sdk:::::::: cpe:2.3:a:zoom:rooms:::::::: cpe:2.3:a:zoom:vdi_windows_meeting_clients::::::windows::* cpe:2.3:a:zoom:zoom::::::windows::*
Vendors & Products		Zoom Zoom meeting Sdk Zoom rooms Zoom vdi Windows Meeting Clients Zoom zoom

MITRE

Status: PUBLISHED

Assigner: Zoom

Published: 2024-02-13T23:53:43.589Z

Updated: 2024-08-01T23:28:11.187Z

Reserved: 2024-01-26T22:56:14.681Z

Link: CVE-2024-24697

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-02-14T00:15:47.770

Modified: 2024-10-09T15:22:48.937

Link: CVE-2024-24697

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24697", "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", "state": "PUBLISHED", "assignerShortName": "Zoom", "dateReserved": "2024-01-26T22:56:14.681Z", "datePublished": "2024-02-13T23:53:43.589Z", "dateUpdated": "2024-08-01T23:28:11.187Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Zoom Clients", "vendor": "Zoom Video Communications, Inc.", "versions": [{"status": "affected", "version": "see references"}]}], "datePublic": "2024-02-13T13:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.<br>"}], "value": "Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.\n"}], "impacts": [{"capecId": "CAPEC-471", "descriptions": [{"lang": "en", "value": "CAPEC-471 Search Order Hijacking"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "description": "CWE-426 Untrusted Search Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", "shortName": "Zoom", "dateUpdated": "2024-02-13T23:53:43.589Z"}, "references": [{"url": "https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/"}], "source": {"discovery": "UNKNOWN"}, "title": "Zoom Clients - Untrusted Search Path", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.187Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zoom:meeting_software_development_kit:*:*:*:*:*:windows:*:*", "matchCriteriaId": "ED921F3E-F076-4037-BAE9-53BDC04F2A4C", "versionEndExcluding": "5.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zoom:rooms:*:*:*:*:*:*:*:*", "matchCriteriaId": "61CCEE1E-F3C0-41EB-8DF2-4D3EA8600166", "versionEndExcluding": "5.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zoom:vdi_windows_meeting_clients:*:*:*:*:*:windows:*:*", "matchCriteriaId": "6C7B8981-66F8-4309-98C6-63B4665229EF", "versionEndExcluding": "5.15.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:zoom:vdi_windows_meeting_clients:*:*:*:*:*:windows:*:*", "matchCriteriaId": "9705C2B6-78E0-4C1A-B839-58639E7E6AED", "versionEndExcluding": "5.16.2", "versionStartExcluding": "5.15.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:zoom:vdi_windows_meeting_clients:*:*:*:*:*:windows:*:*", "matchCriteriaId": "BD5E2981-940C-448D-8449-AD4CAB1651CA", "versionEndExcluding": "5.17.5", "versionStartExcluding": "5.16.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:zoom:zoom:*:*:*:*:*:windows:*:*", "matchCriteriaId": "8ED34AF6-F5F5-45A1-8AF1-C85064789454", "versionEndExcluding": "5.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.\n"}, {"lang": "es", "value": "Una ruta de b\u00fasqueda que no es de confianza en algunos clientes Zoom de Windows de 32 bits puede permitir que un usuario autenticado realice una escalada de privilegios a trav\u00e9s del acceso local."}], "id": "CVE-2024-24697", "lastModified": "2024-10-09T15:22:48.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 6.0, "source": "security@zoom.us", "type": "Secondary"}]}, "published": "2024-02-14T00:15:47.770", "references": [{"source": "security@zoom.us", "tags": ["Vendor Advisory"], "url": "https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/"}], "sourceIdentifier": "security@zoom.us", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-426"}], "source": "security@zoom.us", "type": "Secondary"}]}