Lucene search

K
cvelistDocument Fdn.CVELIST:CVE-2023-6185
HistoryDec 11, 2023 - 11:52 a.m.

CVE-2023-6185 Improper input validation enabling arbitrary Gstreamer pipeline injection

2023-12-1111:52:06
Document Fdn.
www.cve.org
9
cve-2023-6185
improper input validation
gstreamer integration
the document foundation
libreoffice
arbitrary plugins
embedded video
target system

CVSS3

8.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.001

Percentile

31.7%

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins.

In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "LibreOffice",
    "vendor": "The Document Foundation",
    "versions": [
      {
        "lessThan": "7.5.9",
        "status": "affected",
        "version": "7.5",
        "versionType": "7.5 series"
      },
      {
        "lessThan": "7.6.3",
        "status": "affected",
        "version": "7.6",
        "versionType": "7.6 series"
      }
    ]
  }
]

CVSS3

8.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.001

Percentile

31.7%