CVE-2021-34409 HIGH

CVE-2021-34409: Zoom Client Installer Local Privilege Escalation

Vendor Zoom Video Communications Inc
Product Zoom Client for Meetings for MacOS (Standard and for IT Admin)
Published September 27, 2021
Last update September 16, 2024

CVSS base score

7.8/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

It was discovered that the installation packages of the Zoom Client for Meetings for MacOS (Standard and for IT Admin) installation before version 5.2.0, Zoom Client Plugin for Sharing iPhone/iPad before version 5.2.0, and Zoom Rooms for Conference before version 5.1.0, copy pre- and post- installation shell scripts to a user-writable directory. In the affected products listed below, a malicious actor with local access to a user's machine could use this flaw to potentially run arbitrary system commands in a higher privileged context during the installation process.

Key dates

02Disclosure timeline

September 27, 2021 CVE published
September 16, 2024 Record updated