GSD-2022-26306
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-26306",
"description": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.",
"id": "GSD-2022-26306",
"references": [
"https://security.archlinux.org/CVE-2022-26306",
"https://www.suse.com/security/cve/CVE-2022-26306.html",
"https://access.redhat.com/errata/RHSA-2023:0089",
"https://ubuntu.com/security/CVE-2022-26306",
"https://access.redhat.com/errata/RHSA-2023:0304"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-26306"
],
"details": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.",
"id": "GSD-2022-26306",
"modified": "2023-12-13T01:19:39.194226Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@documentfoundation.org",
"ID": "CVE-2022-26306",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "LibreOffice",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "7.2",
"version_value": "7.2.7"
},
{
"version_affected": "\u003c",
"version_name": "7.3",
"version_value": "7.3.1"
}
]
}
}
]
},
"vendor_name": "The Document Foundation"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "OpenSource Security GmbH on behalf of the German Federal Office for Information Security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-326",
"lang": "eng",
"value": "CWE-326 Inadequate Encryption Strength"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306",
"refsource": "MISC",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html",
"refsource": "MISC",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
},
{
"name": "http://www.openwall.com/lists/oss-security/2022/08/13/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.2.7",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.3.3",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@documentfoundation.org",
"ID": "CVE-2022-26306"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306"
},
{
"name": "[oss-security] 20220812 CVE-2022-37400: Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
},
{
"name": "[debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-07-11T14:35Z",
"publishedDate": "2022-07-25T15:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…