CVE-2021-34425

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-34425
The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat\'s "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly.

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:N

Exploitability : 4.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
https://explore.zoom.us/en/trust/security/security-bulletin Vendor Advisory
https://explore.zoom.us/en/trust/security/security-bulletin Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:zoom:meetings:*:*:*:*:*:*:*:*
OR cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

21 Nov 2024, 06:10

Type Values Removed Values Added
CVSS v2 : 4.0
v3 : 6.1 		v2 : 4.0
v3 : 4.7
References () https://explore.zoom.us/en/trust/security/security-bulletin - Vendor Advisory () https://explore.zoom.us/en/trust/security/security-bulletin - Vendor Advisory

03 Jan 2022, 22:15

Type Values Removed Values Added
Summary The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat's "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat's "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly. The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat\'s "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly.

31 Dec 2021, 00:15

Type Values Removed Values Added
Summary The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat’s “link preview” functionality. In versions prior to 5.7.3, if a user were to enable the chat’s “link preview” feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly. The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat's "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat's "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly.

17 Dec 2021, 15:41

Type Values Removed Values Added
CWE CWE-918
CVSS v2 : unknown
v3 : unknown 		v2 : 4.0
v3 : 6.1
CPE cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:zoom:meetings:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
References (MISC) https://explore.zoom.us/en/trust/security/security-bulletin - (MISC) https://explore.zoom.us/en/trust/security/security-bulletin - Vendor Advisory

14 Dec 2021, 20:32

Type Values Removed Values Added
New CVE
Information

Published : 2021-12-14 20:15

Updated : 2024-11-21 06:10

NVD link : CVE-2021-34425

Mitre link : CVE-2021-34425

CVE.ORG link : CVE-2021-34425

JSON object : View

Products Affected

google

  • android

zoom

  • meetings

apple

  • macos
  • iphone_os

microsoft

  • windows

linux

  • linux_kernel
CWE
CWE-918

Server-Side Request Forgery (SSRF)