Lucene search

K
ubuntucveUbuntu.comUB:CVE-2022-26305
HistoryJul 25, 2022 - 12:00 a.m.

CVE-2022-26305

2022-07-2500:00:00
ubuntu.com
ubuntu.com
22
certificate validation
libreoffice
macro
arbitrary certificate
trusted author
vulnerability
arbitrary code

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

61.4%

An Improper Certificate Validation vulnerability in LibreOffice existed
where determining if a macro was signed by a trusted author was done by
only matching the serial number and issuer string of the used certificate
with that of a trusted certificate. This is not sufficient to verify that
the macro was actually signed with the certificate. An adversary could
therefore create an arbitrary certificate with a serial number and an
issuer string identical to a trusted certificate which LibreOffice would
present as belonging to the trusted author, potentially leading to the user
to execute arbitrary code contained in macros improperly trusted. This
issue affects: The Document Foundation LibreOffice 7.2 versions prior to
7.2.7; 7.3 versions prior to 7.3.1.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlibreoffice< 1:6.0.7-0ubuntu0.18.04.12UNKNOWN
ubuntu20.04noarchlibreoffice< 1:6.4.7-0ubuntu0.20.04.5UNKNOWN

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

61.4%