CVE-2025-27791 (GCVE-0-2025-27791)

Vulnerability from cvelistv5 – Published: 2025-04-15 19:09 – Updated: 2025-04-15 20:27
VLAI?
Title
Collabora Online Vulnerable to Arbitrary File Write
Summary
Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.
Severity ?
8.3 (High)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
Vendor Product Version
CollaboraOnline online Affected: >= 24.04.1.1, < 24.04.13.1
Affected: >= 23.05.0, < 23.05.19
Affected: < 22.05.25
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27791",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-15T20:26:54.283025Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T20:27:04.827Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "online",
          "vendor": "CollaboraOnline",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 24.04.1.1, \u003c 24.04.13.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 23.05.0, \u003c 23.05.19"
            },
            {
              "status": "affected",
              "version": "\u003c 22.05.25"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-15T19:09:18.774Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/CollaboraOnline/online/security/advisories/GHSA-9j32-gg3j-8w25",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/CollaboraOnline/online/security/advisories/GHSA-9j32-gg3j-8w25"
        }
      ],
      "source": {
        "advisory": "GHSA-9j32-gg3j-8w25",
        "discovery": "UNKNOWN"
      },
      "title": "Collabora Online Vulnerable to Arbitrary File Write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27791",
    "datePublished": "2025-04-15T19:09:18.774Z",
    "dateReserved": "2025-03-06T18:06:54.462Z",
    "dateUpdated": "2025-04-15T20:27:04.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27791\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-04-15T19:16:07.433\",\"lastModified\":\"2025-04-16T13:25:59.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.\"},{\"lang\":\"es\",\"value\":\"Collabora Online es una suite ofim\u00e1tica colaborativa en l\u00ednea basada en la tecnolog\u00eda LibreOffice. En versiones anteriores a la 24.04.12.4, la 23.05.19 y la 22.05.25, exist\u00eda una falla de recorrido de ruta al gestionar el campo CheckFileInfo BaseFileName devuelto por los servidores WOPI. Esto permit\u00eda escribir un archivo en cualquier lugar donde el uid que ejecuta Collabora Online pudiera escribir, si dicha respuesta proven\u00eda de un servidor WOPI malicioso. Al combinar esta falla con un problema de b\u00fasqueda DNS en el tiempo de verificaci\u00f3n y el tiempo de uso con una direcci\u00f3n de servidor WOPI controlada por un atacante, es posible presentar dicha respuesta para que sea procesada por una instancia de Collabora Online. Este problema se ha corregido en las versiones 24.04.13.1, la 23.05.19 y la 22.05.25.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"references\":[{\"url\":\"https://github.com/CollaboraOnline/online/security/advisories/GHSA-9j32-gg3j-8w25\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27791\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-15T20:26:54.283025Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-15T20:26:59.483Z\"}}], \"cna\": {\"title\": \"Collabora Online Vulnerable to Arbitrary File Write\", \"source\": {\"advisory\": \"GHSA-9j32-gg3j-8w25\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"CollaboraOnline\", \"product\": \"online\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 24.04.1.1, \u003c 24.04.13.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 23.05.0, \u003c 23.05.19\"}, {\"status\": \"affected\", \"version\": \"\u003c 22.05.25\"}]}], \"references\": [{\"url\": \"https://github.com/CollaboraOnline/online/security/advisories/GHSA-9j32-gg3j-8w25\", \"name\": \"https://github.com/CollaboraOnline/online/security/advisories/GHSA-9j32-gg3j-8w25\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23: Relative Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-15T19:09:18.774Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27791\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T20:27:04.827Z\", \"dateReserved\": \"2025-03-06T18:06:54.462Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-15T19:09:18.774Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.