The Zoom Client for macOS prior to version 4.4.2-hotfix is vulnerable to a low risk denial of service attack in which a remote actor who is able to convince a Zoom user to open a specially crafted web link can trigger an endless loop of attempted meeting joins, causing the Zoom client to be inoperative and affect device performance, resulting in a loss of availability. A device reboot may be required to recover.
A hot fix for the issue was published as version 4.4.2-hotfix published April 28, 2019. Further, the vulnerable ZoomOpener component was removed in the Zoom Client for macOS version 4.4.53932.0709 published on July 9, 2019.
Zoom encourages customers to install the latest Zoom Client release.
CVSS v3.0 Severity and Metrics
Base Score: 3.1 (Low Severity)
Attack Vector: Network
Attack Complexity: High (depends on conditions outside the attacker’s control)
Privileges Required: None
User Interaction: Required
Availability: Low (impact limited to system slowdown, possible device reboot required)
Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Note: CVSS score may differ from that published in NVD due to differences between analysts in impact assessment or other calculation components.