CVE-2023-43586: 
NixOS vulnerability analysis and mitigation

CVE-2023-43586 is a high-severity path traversal vulnerability affecting Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows. The vulnerability was discovered and disclosed in December 2023. The affected products include Zoom Desktop Client for Windows before version 5.16.5, Zoom VDI Client before version 5.16.0 (excluding 5.14.14 and 5.15.12), Zoom Video SDK for Windows before version 5.16.5, and Zoom Meeting SDK for Windows before version 5.16.5 (Zoom Advisory).

The vulnerability is classified as a path traversal issue with a CVSS v3.1 base score of 7.3 (High) according to Zoom's assessment, with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N. However, NIST's assessment gives it a higher CVSS score of 8.8 with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-426 (Untrusted Search Path) (NVD).

The vulnerability allows an authenticated user to conduct an escalation of privilege via network access. This could potentially lead to unauthorized access to higher rights, permissions, or privileges than those allocated to a particular account (Cybersecurity News).

Users are advised to update to the latest versions of the affected software. For Zoom Desktop Client for Windows, update to version 5.16.5 or later. For Zoom VDI Client, update to version 5.16.0 or later. For both Zoom Video SDK and Meeting SDK for Windows, update to version 5.16.5 or later. The latest Zoom software with all current security updates can be downloaded from the official Zoom website (Zoom Advisory).