CVE-2021-28133

Zoom 5.4.3 (54779.1115) / 5.5.4 (13142.0301) Information Disclosure

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window and get into focus. (An attacker can, of course, use a separate screen-recorder application, unsupported by Zoom, to save all such contents for later replays and analysis.) Depending on the unintentionally shared data, this short exposure of screen contents may be a more or less severe security issue.

Zoom versiones hasta 5.5.4, a veces permite a atacantes leer información privada en la pantalla de un participante, aunque el participante nunca intentó compartir la parte privada de su pantalla. Cuando un usuario comparte una ventana de aplicación específica por medio de la funcionalidad Share Screen, otros participantes de la reunión pueden visualizar brevemente el contenido de otras ventanas de la aplicación que no se compartieron explícitamente. El contenido de estas otras ventanas puede (por ejemplo) verse durante un corto período de tiempo cuando se superponen a la ventana compartida y se enfocan. (Un atacante puede, por supuesto, usar una aplicación de grabación de pantalla separada, no compatible con Zoom, para guardar todos esos contenidos para posteriores repeticiones y análisis). Dependiendo de los datos compartidos involuntariamente, esta breve exposición de los contenidos de la pantalla puede ser un problema de seguridad más o menos grave

Zoom versions 5.4.3 (54779.1115) and 5.5.4 (13142.0301) temporarily shares other application windows not in scope for sharing.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-10 CVE Reserved
2021-03-18 CVE Published
2024-05-19 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (7)

URL	Tag	Source
http://packetstormsecurity.com/files/161897/Zoom-5.4.3-54779.1115-5.5.4-13142.0301-Information-Disclosure.html	Third Party Advisory
http://seclists.org/fulldisclosure/2021/Mar/48	Mailing List
https://thehackernews.com/2021/03/new-zoom-screen-sharing-bug-lets-other.html	Third Party Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-044.txt	Third Party Advisory
https://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen-sharing-funktionalitaet-von-zoom-cve-2021-28133	Third Party Advisory
https://www.youtube.com/watch?v=SonmmgQlLzg	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://zoom.us/trust/security/security-bulletin	2021-03-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zoom Search vendor "Zoom"		Zoom Search vendor "Zoom" for product "Zoom"				<= 5.5.4 Search vendor "Zoom" for product "Zoom" and version " <= 5.5.4"		-		Affected