Sign-up

ID

VAR-201907-0716


CVE

CVE-2019-13450


TITLE

Zoom Client and RingCentral Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-006352

DESCRIPTION

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file. Zoom Client and RingCentral Contains an access control vulnerability.Information may be obtained. ZoomClient is a video conferencing terminal that supports multiple platforms from Zoom Company of the United States. There is an information disclosure vulnerability in ZoomClient. An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks

Trust: 2.43

sources: NVD: CVE-2019-13450 // JVNDB: JVNDB-2019-006352 // CNVD: CNVD-2019-21753 // BID: 109082

IOT TAXONOMY

category:['IoT', 'ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-21753

AFFECTED PRODUCTS

vendor:zoommodel:zoomscope:lteversion:4.4.4

Trust: 1.0

vendor:ringcentralmodel:ringcentralscope:eqversion:7.0.136380.0312

Trust: 1.0

vendor:ringcentralmodel:ringcentralscope:eqversion:7.0.136380.0312 (macos)

Trust: 0.8

vendor:zoom videomodel:clientscope:lteversion:4.4.4 (macos)

Trust: 0.8

vendor:zoommodel:client on macosscope:eqversion:4.4.4

Trust: 0.6

vendor:zoommodel:clientscope:eqversion:4.4.4

Trust: 0.3

sources: CNVD: CNVD-2019-21753 // BID: 109082 // JVNDB: JVNDB-2019-006352 // NVD: CVE-2019-13450

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13450
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-13450
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-21753
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201907-383
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-13450
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-21753
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-13450
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-21753 // JVNDB: JVNDB-2019-006352 // CNNVD: CNNVD-201907-383 // NVD: CVE-2019-13450

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: JVNDB: JVNDB-2019-006352 // NVD: CVE-2019-13450

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-383

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201907-383

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006352

PATCH
title:Top Pageurl:https://www.ringcentral.com/
Trust: 0.8
title:Zoom@zoom_usurl:https://twitter.com/zoom_us/status/1148710712241295361
Trust: 0.8
title:VIDEO ON VULNERABILITYurl:https://assets.zoom.us/docs/pdf/Zoom+Response+Video-On+Vulnerability.pdf
Trust: 0.8
title:Response to Video-On Concernurl:https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
Trust: 0.8
title:Zoom Client Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94523
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-006352 // 
            
            
            
            CNNVD: CNNVD-201907-383

EXTERNAL IDS
db:NVDid:CVE-2019-13450
Trust: 3.3
db:BIDid:109082
Trust: 1.9
db:JVNDBid:JVNDB-2019-006352
Trust: 0.8
db:CNVDid:CNVD-2019-21753
Trust: 0.6
db:CNNVDid:CNNVD-201907-383
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-21753 // 
            
            
            
            BID: 109082 // 
            
            
            
            JVNDB: JVNDB-2019-006352 // 
            
            
            
            CNNVD: CNNVD-201907-383 // 
            
            
            
            NVD: CVE-2019-13450

REFERENCES
url:https://news.ycombinator.com/item?id=20387298
Trust: 2.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-13450
Trust: 2.0
url:https://twitter.com/moreati/status/1148548799813640193
Trust: 1.9
url:https://assets.zoom.us/docs/pdf/zoom+response+video-on+vulnerability.pdf
Trust: 1.9
url:https://twitter.com/zoom_us/status/1148710712241295361
Trust: 1.6
url:https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
Trust: 1.6
url:https://bugs.chromium.org/p/chromium/issues/detail?id=951540
Trust: 1.6
url:http://www.securityfocus.com/bid/109082
Trust: 1.6
url:https://medium.com/%40jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Trust: 1.0
url:https://zoom.us/
Trust: 0.9
url:https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13450
Trust: 0.8
url:https://medium.com/@jonathan.leitschuh/zoom
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-21753 // 
            
            
            
            BID: 109082 // 
            
            
            
            JVNDB: JVNDB-2019-006352 // 
            
            
            
            CNNVD: CNNVD-201907-383 // 
            
            
            
            NVD: CVE-2019-13450

CREDITS
Unknown
Trust: 0.9
sources:
            
            
            BID: 109082 // 
            
            
            
            CNNVD: CNNVD-201907-383

SOURCES
db:CNVDid:CNVD-2019-21753
db:BIDid:109082
db:JVNDBid:JVNDB-2019-006352
db:CNNVDid:CNNVD-201907-383
db:NVDid:CVE-2019-13450

LAST UPDATE DATE
2024-11-23T22:06:08.079000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-21753date:2019-07-09T00:00:00
db:BIDid:109082date:2019-07-08T00:00:00
db:JVNDBid:JVNDB-2019-006352date:2019-07-18T00:00:00
db:CNNVDid:CNNVD-201907-383date:2020-08-25T00:00:00
db:NVDid:CVE-2019-13450date:2024-11-21T04:24:55.590

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-21753date:2019-07-09T00:00:00
db:BIDid:109082date:2019-07-08T00:00:00
db:JVNDBid:JVNDB-2019-006352date:2019-07-18T00:00:00
db:CNNVDid:CNNVD-201907-383date:2019-07-08T00:00:00
db:NVDid:CVE-2019-13450date:2019-07-09T06:15:10.820