Lucene search

K
cveDocument Fdn.CVE-2022-26306
HistoryJul 25, 2022 - 3:15 p.m.

CVE-2022-26306

2022-07-2515:15:09
CWE-326
CWE-330
Document Fdn.
web.nvd.nist.gov
122
2
cve-2022-26306
libreoffice
encryption
vulnerability
password storage
nvd
document foundation
web connections
security

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

53.4%

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

Affected configurations

Nvd
Node
libreofficelibreofficeRange7.2.07.2.7
OR
libreofficelibreofficeRange7.3.07.3.3
Node
debiandebian_linuxMatch10.0

CNA Affected

[
  {
    "vendor": "The Document Foundation",
    "product": "LibreOffice",
    "versions": [
      {
        "version": "7.2",
        "status": "affected",
        "lessThan": "7.2.7",
        "versionType": "custom"
      },
      {
        "version": "7.3",
        "status": "affected",
        "lessThan": "7.3.1",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

53.4%