Lucene search

[email protected]CVE-2021-34416

HistorySep 27, 2021 - 2:15 p.m.

CVE-2021-34416

2021-09-2714:15:08

CWE-20

[email protected]

web.nvd.nist.gov

cve-2021-34416

zoom

meeting connector

command injection

network security

vulnerability

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.4%

JSON

The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network configuration, which could lead to remote command injection on the on-premise image by the web portal administrators.

Affected configurations

NVD

Node

zoommeeting_connectorRange<4.6.360.20210325

zoomrecording_connectorRange<3.8.44.20210326

zoomvirtual_room_connectorRange<4.4.6752.20210326

zoomvirtual_room_connector_load_balancerRange<2.5.5495.20210326

CPENameOperatorVersion
zoom:meeting_connectorzoom meeting connectorlt4.6.360.20210325
zoom:recording_connectorzoom recording connectorlt3.8.44.20210326
zoom:virtual_room_connectorzoom virtual room connectorlt4.4.6752.20210326
zoom:virtual_room_connector_load_balancerzoom virtual room connector load balancerlt2.5.5495.20210326

CPE	Name	Operator	Version
zoom:meeting_connector	zoom meeting connector	lt	4.6.360.20210325
zoom:recording_connector	zoom recording connector	lt	3.8.44.20210326
zoom:virtual_room_connector	zoom virtual room connector	lt	4.4.6752.20210326
zoom:virtual_room_connector_load_balancer	zoom virtual room connector load balancer	lt	2.5.5495.20210326

CNA Affected

[
  {
    "product": "Zoom On-Premise Meeting Connector Controller, Zoom On-Premise Meeting Connector MMR, Zoom On-Premise Recording Connector, Zoom On-Premise Virtual Room Connector, Zoom On-Premise Virtual Room Connector Load Balancer",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326, Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326"
      }
    ]
  }
]

References

explore.zoom.us/en/trust/security/security-bulletin/

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.4%

JSON

Related for CVE-2021-34416

cvelist1 prion1 nvd1