CVE-2019-18822

Published: Apr 14, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A privilege escalation vulnerability in ZOOM Call Recording 6.3.1 allows its user account (i.e., the account under which the program runs - by default, the callrec account) to elevate privileges to root by abusing the callrec-rs@.service. The callrec-rs@.service starts the /opt/callrec/bin/rs binary with root privileges, and this binary is owned by callrec. It can be replaced by a Trojan horse.

Affected (1)

Products: Eleveo: Call Recording

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Eleveo Call Recording	Version 6.3.1

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-18822-PrivEscal-ZoomCallRecording

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.zoomint.com/solutions/call-recording

Source: cve@mitre.org

Product

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-18822-PrivEscal-ZoomCallRecording

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.zoomint.com/solutions/call-recording

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.