CVE-2021-30245
Vulnerability from cvelistv5
Published
2021-04-15 19:30
Modified
2024-08-03 22:24
Severity ?
EPSS score ?
Summary
Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache OpenOffice |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T22:24:59.592Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cusers.openoffice.apache.org%3E" }, { "name": "[openoffice-dev] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cdev.openoffice.apache.org%3E" }, { "name": "[openoffice-dev] 20210415 Re: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5%40%3Cdev.openoffice.apache.org%3E" }, { "name": "[openoffice-users] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cusers.openoffice.apache.org%3E" }, { "name": "[openoffice-users] 20210415 Re: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5%40%3Cusers.openoffice.apache.org%3E" }, { "name": "[announce] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7c01173f763b0c4212ada0e6ab283984d6e058d72258efce85c006ab%40%3Cannounce.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache OpenOffice", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "4.1.9", "status": "affected", "version": "Apache OpenOffice", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Fabian Br\u00e4unlein and Lukas Euler of Positive Security" } ], "descriptions": [ { "lang": "en", "value": "The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink." } ], "metrics": [ { "other": { "content": { "other": "moderate" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "Insecure non-http(s) Hyperlinks could lead to untrusted code execution", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-04-16T01:06:21", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cusers.openoffice.apache.org%3E" }, { "name": "[openoffice-dev] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cdev.openoffice.apache.org%3E" }, { "name": "[openoffice-dev] 20210415 Re: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5%40%3Cdev.openoffice.apache.org%3E" }, { "name": "[openoffice-users] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cusers.openoffice.apache.org%3E" }, { "name": "[openoffice-users] 20210415 Re: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5%40%3Cusers.openoffice.apache.org%3E" }, { "name": "[announce] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7c01173f763b0c4212ada0e6ab283984d6e058d72258efce85c006ab%40%3Cannounce.apache.org%3E" } ], "source": { "discovery": "UNKNOWN" }, "title": "Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-30245", "STATE": "PUBLIC", "TITLE": "Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache OpenOffice", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "Apache OpenOffice", "version_value": "4.1.9" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "Fabian Br\u00e4unlein and Lukas Euler of Positive Security" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "moderate" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Insecure non-http(s) Hyperlinks could lead to untrusted code execution" } ] } ] }, "references": { "reference_data": [ { "name": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cusers.openoffice.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cusers.openoffice.apache.org%3E" }, { "name": "[openoffice-dev] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735@%3Cdev.openoffice.apache.org%3E" }, { "name": "[openoffice-dev] 20210415 Re: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5@%3Cdev.openoffice.apache.org%3E" }, { "name": "[openoffice-users] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735@%3Cusers.openoffice.apache.org%3E" }, { "name": "[openoffice-users] 20210415 Re: CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5@%3Cusers.openoffice.apache.org%3E" }, { "name": "[announce] 20210415 CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7c01173f763b0c4212ada0e6ab283984d6e058d72258efce85c006ab@%3Cannounce.apache.org%3E" } ] }, "source": { "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-30245", "datePublished": "2021-04-15T19:30:14", "dateReserved": "2021-04-07T00:00:00", "dateUpdated": "2024-08-03T22:24:59.592Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-30245\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-04-15T20:15:12.493\",\"lastModified\":\"2023-11-07T03:33:00.700\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.\"},{\"lang\":\"es\",\"value\":\"El proyecto recibi\u00f3 un reporte de que todas las versiones de Apache OpenOffice versiones hasta 4.1.8, pueden abrir hiperv\u00ednculos que no sean http.\u0026#xa0;El problema se presenta desde aproximadamente 2006 y el problema tambi\u00e9n se encuentra en versi\u00f3n 4.1.9.\u0026#xa0;Si el enlace est\u00e1 dise\u00f1ado espec\u00edficamente, esto podr\u00eda conllevar a una ejecuci\u00f3n de un c\u00f3digo no confiable.\u0026#xa0;Siempre es una buena pr\u00e1ctica tener cuidado al abrir documentos de fuentes desconocidas y no comprobadas.\u0026#xa0;La mitigaci\u00f3n en Apache OpenOffice versi\u00f3n 4.1.10 (unreleased) asegura que una alerta de seguridad es mostrada d\u00e1ndole al usuario la opci\u00f3n de continuar abriendo el hiperv\u00ednculo\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.8},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-610\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:openoffice:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.1.8\",\"matchCriteriaId\":\"C07FD210-8059-496E-9167-D1790DAB5828\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread.html/r7c01173f763b0c4212ada0e6ab283984d6e058d72258efce85c006ab%40%3Cannounce.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cdev.openoffice.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r87ff11512e4883052991e6b725e20294224034ea8453b811fb3ee735%40%3Cusers.openoffice.apache.org%3E\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5%40%3Cdev.openoffice.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/ra2cabdc083d5160a84de9a6436296ee5030fb3a16dc490dee4f983d5%40%3Cusers.openoffice.apache.org%3E\",\"source\":\"security@apache.org\"}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.