Lucene search

[email protected]CVE-2021-34414

HistorySep 27, 2021 - 2:15 p.m.

CVE-2021-34414

2021-09-2714:15:08

CWE-20

[email protected]

web.nvd.nist.gov

zoom

web portal

on-premise

security

remote command injection

network proxy

cve-2021-34414

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.1%

JSON

The network proxy page on the web portal for the Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217, Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217, Zoom on-premise Recording Connector before version 3.8.42.20200905, Zoom on-premise Virtual Room Connector before version 4.4.6620.20201110, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network proxy configuration, which could lead to remote command injection on the on-premise image by a web portal administrator.

Affected configurations

NVD

Node

zoommeeting_connectorRange<4.6.348.20201217

zoomrecording_connectorRange<3.8.42.20200905

zoomvirtual_room_connectorRange<4.4.6620.20201110

zoomvirtual_room_connector_load_balancerRange<2.5.5495.20210326

CPENameOperatorVersion
zoom:meeting_connectorzoom meeting connectorlt4.6.348.20201217
zoom:recording_connectorzoom recording connectorlt3.8.42.20200905
zoom:virtual_room_connectorzoom virtual room connectorlt4.4.6620.20201110
zoom:virtual_room_connector_load_balancerzoom virtual room connector load balancerlt2.5.5495.20210326

CPE	Name	Operator	Version
zoom:meeting_connector	zoom meeting connector	lt	4.6.348.20201217
zoom:recording_connector	zoom recording connector	lt	3.8.42.20200905
zoom:virtual_room_connector	zoom virtual room connector	lt	4.4.6620.20201110
zoom:virtual_room_connector_load_balancer	zoom virtual room connector load balancer	lt	2.5.5495.20210326

CNA Affected

[
  {
    "product": "Zoom on-premise Meeting Connector Controller, Zoom on-premise Meeting Connector MMR, Zoom on-premise Recording Connector, Zoom on-premise Virtual Room Connector, Zoom on-premise Virtual Room Connector Load Balancer",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217, Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217, Zoom on-premise Recording Connector before version 3.8.42.20200905, Zoom on-premise Virtual Room Connector before version 4.4.6620.20201110, Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326"
      }
    ]
  }
]

References

explore.zoom.us/en/trust/security/security-bulletin/

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.1%

JSON

Related for CVE-2021-34414

prion1 cvelist1 nvd1