SecuriTricks - CVE-2024-45418

Description

Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access.

Product(s) Impacted

Vendor	Product	Versions
Zoom	Meeting Software Development Kit Rooms Video Software Development Kit Workplace Desktop	* * * *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CWE-61

UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	zoom	meeting_software_development_kit	/	/	/	/	/	macos	/	/
a	zoom	rooms	/	/	/	/	/	macos	/	/
a	zoom	video_software_development_kit	/	/	/	/	/	macos	/	/
a	zoom	workplace_desktop	/	/	/	/	/	macos	/	/

References

https://www.zoom.com/en/trust/security-bulletin/zsb-24040/

CVSS Score

5.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

View Vector String

Timeline

Published: Feb. 25, 2025, 8:15 p.m.
Last Modified: March 4, 2025, 5:36 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@zoom.us

CVE-2024-45418