CVE-2024-24691: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-24691) with a CVSS score of 9.6 was discovered in Zoom's Windows-based products. The vulnerability affects multiple Zoom products including Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. The flaw was discovered and reported by Zoom Offensive Security team and was disclosed on February 13, 2024 (Zoom Security).

The vulnerability is characterized as an improper input validation issue that could allow an unauthenticated user to conduct privilege escalation attacks via network access. The vulnerability received a Critical severity rating with a CVSS score of 9.6 and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The affected versions include Zoom Desktop Client for Windows before version 5.16.5, Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12), Zoom Rooms Client for Windows before version 5.17.0, and Zoom Meeting SDK for Windows before version 5.16.5 (Security Online).

The vulnerability could allow attackers to steal sensitive data, disrupt video meetings, install malware, and potentially gain full control of affected systems. The high CVSS score indicates that successful exploitation could lead to a complete compromise of the targeted system (Security Online).

Zoom has released patches to address this vulnerability. Users are advised to update to the latest versions: Zoom Desktop Client for Windows version 5.16.5 or later, Zoom VDI Client for Windows version 5.16.10 or later, Zoom Rooms Client for Windows version 5.17.0 or later, and Zoom Meeting SDK for Windows version 5.16.5 or later. Updates can be downloaded from the official Zoom download center (Zoom Security).