cnvd - cnvd-2021-17247

CNVD-2021-17247

Vulnerability from cnvd - Published: 2021-03-13

Title

ONLYOFFICE Document Server文件扩展名处理漏洞（CNVD-2021-17247）

Description

ONLYOFFICE Document Server是一款免费协作式在线办公套件，包括用于文本、电子表格和演示文稿的查看器和编辑器。 ONLYOFFICE DocumentServer [core]模块存在文件扩展名处理漏洞，攻击者可通过请求将特制文件从DOCT转换为DOCX格式利用该漏洞实现远程代码执行。

Severity

中

Patch Name

ONLYOFFICE Document Server文件扩展名处理漏洞（CNVD-2021-17247）的补丁

Patch Description

ONLYOFFICE Document Server是一款免费协作式在线办公套件，包括用于文本、电子表格和演示文稿的查看器和编辑器。 ONLYOFFICE DocumentServer [core]模块存在文件扩展名处理漏洞，攻击者可通过请求将特制文件从DOCT转换为DOCX格式利用该漏洞实现远程代码执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/ONLYOFFICE/DocumentServer

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-25830

Impacted products

Name
Ascensio System ONLYOFFICE Document Server >=4.2.0.236，<=5.6.4.13

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-25830",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-25830"
    }
  },
  "description": "ONLYOFFICE Document Server\u662f\u4e00\u6b3e\u514d\u8d39\u534f\u4f5c\u5f0f\u5728\u7ebf\u529e\u516c\u5957\u4ef6\uff0c\u5305\u62ec\u7528\u4e8e\u6587\u672c\u3001\u7535\u5b50\u8868\u683c\u548c\u6f14\u793a\u6587\u7a3f\u7684\u67e5\u770b\u5668\u548c\u7f16\u8f91\u5668\u3002\n\nONLYOFFICE DocumentServer [core]\u6a21\u5757\u5b58\u5728\u6587\u4ef6\u6269\u5c55\u540d\u5904\u7406\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf7\u6c42\u5c06\u7279\u5236\u6587\u4ef6\u4eceDOCT\u8f6c\u6362\u4e3aDOCX\u683c\u5f0f\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/ONLYOFFICE/DocumentServer",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-17247",
  "openTime": "2021-03-13",
  "patchDescription": "ONLYOFFICE Document Server\u662f\u4e00\u6b3e\u514d\u8d39\u534f\u4f5c\u5f0f\u5728\u7ebf\u529e\u516c\u5957\u4ef6\uff0c\u5305\u62ec\u7528\u4e8e\u6587\u672c\u3001\u7535\u5b50\u8868\u683c\u548c\u6f14\u793a\u6587\u7a3f\u7684\u67e5\u770b\u5668\u548c\u7f16\u8f91\u5668\u3002\r\n\r\nONLYOFFICE DocumentServer [core]\u6a21\u5757\u5b58\u5728\u6587\u4ef6\u6269\u5c55\u540d\u5904\u7406\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf7\u6c42\u5c06\u7279\u5236\u6587\u4ef6\u4eceDOCT\u8f6c\u6362\u4e3aDOCX\u683c\u5f0f\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ONLYOFFICE Document Server\u6587\u4ef6\u6269\u5c55\u540d\u5904\u7406\u6f0f\u6d1e\uff08CNVD-2021-17247\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Ascensio System ONLYOFFICE Document Server \u003e=4.2.0.236\uff0c\u003c=5.6.4.13"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-25830",
  "serverity": "\u4e2d",
  "submitTime": "2021-03-02",
  "title": "ONLYOFFICE Document Server\u6587\u4ef6\u6269\u5c55\u540d\u5904\u7406\u6f0f\u6d1e\uff08CNVD-2021-17247\uff09"
}

CVE-2021-25830 (GCVE-0-2021-25830)

Vulnerability from cvelistv5 – Published: 2021-03-01 15:07 – Updated: 2024-08-03 20:11

Summary

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an attacker can achieve remote code execution on DocumentServer.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/ONLYOFFICE/DocumentServer	x_refsource_MISC
	https://github.com/ONLYOFFICE/core	x_refsource_MISC
	https://github.com/ONLYOFFICE/core/blob/v5.6.4.13…	x_refsource_MISC
	https://github.com/ONLYOFFICE/core/blob/v5.6.4.13…	x_refsource_MISC
	https://github.com/ONLYOFFICE/core/blob/v5.6.4.13…	x_refsource_MISC
	https://github.com/merrychap/poc_exploits/tree/ma…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:11:28.461Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ONLYOFFICE/DocumentServer"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ONLYOFFICE/core"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/PPTXFormat/Logic/UniFill.cpp#L343"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L241"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1918"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25830"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an attacker can achieve remote code execution on DocumentServer."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-02T12:27:59",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ONLYOFFICE/DocumentServer"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ONLYOFFICE/core"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/PPTXFormat/Logic/UniFill.cpp#L343"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L241"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1918"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25830"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-25830",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an attacker can achieve remote code execution on DocumentServer."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ONLYOFFICE/DocumentServer",
              "refsource": "MISC",
              "url": "https://github.com/ONLYOFFICE/DocumentServer"
            },
            {
              "name": "https://github.com/ONLYOFFICE/core",
              "refsource": "MISC",
              "url": "https://github.com/ONLYOFFICE/core"
            },
            {
              "name": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/PPTXFormat/Logic/UniFill.cpp#L343",
              "refsource": "MISC",
              "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/PPTXFormat/Logic/UniFill.cpp#L343"
            },
            {
              "name": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L241",
              "refsource": "MISC",
              "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L241"
            },
            {
              "name": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1918",
              "refsource": "MISC",
              "url": "https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1918"
            },
            {
              "name": "https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25830",
              "refsource": "MISC",
              "url": "https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25830"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-25830",
    "datePublished": "2021-03-01T15:07:38",
    "dateReserved": "2021-01-22T00:00:00",
    "dateUpdated": "2024-08-03T20:11:28.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-17247

CVE-2021-25830 (GCVE-0-2021-25830)

Tags

Sightings

Nomenclature