Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26306: CVE-2022-26306 | LibreOffice - Free Office Suite - Based on OpenOffice

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

CVE
#web
  • Discover

  • Download

  • Get Help

  • Improve it

  • Events

  • About Us

  • Donate

  • About Us /

  • Security /

  • Security Advisories /

  • CVE-2022-26306

CVE-2022-26306

Title: Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password

Announced: July 25, 2022

Fixed in: LibreOffice 7.2.7/7.3.3

Description:

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.

A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data.

In versions >= 7.2.7 (and >= 7.3.3) unique initialization vectors are used when the passwords are stored and the user is prompted via an infobar to reenter their master password in order to reencrypt old existing vulnerable stored config data if it exists.

Credits:

  • OpenSource Security GmbH on behalf of the German Federal Office for Information Security

Related news

Red Hat Security Advisory 2023-0089-01

Red Hat Security Advisory 2023-0089-01 - LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. Issues addressed include a script execution vulnerability.

Ubuntu Security Notice USN-5694-1

Ubuntu Security Notice 5694-1 - It was discovered that LibreOffice incorrectly handled links using the Office URI Schemes. If a user were tricked into opening a specially crafted document, a remote attacker could use this issue to execute arbitrary scripts. Thomas Florian discovered that LibreOffice incorrectly handled crashes when an encrypted document is open. If the document is recovered upon restarting LibreOffice, subsequent saves of the document were unencrypted. This issue only affected Ubuntu 18.04 LTS.

Ubuntu Security Notice USN-5661-1

Ubuntu Security Notice 5661-1 - It was discovered that LibreOffice incorrectly validated macro signatures. If a user were tricked into opening a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary macros. It was discovered that Libreoffice incorrectly handled encrypting the master key provided by the user for storing passwords for web connections. A local attacker could possibly use this issue to obtain access to passwords stored in the user's configuration data.

LibreOffice Releases Software Update to Patch 3 New Vulnerabilities

The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems. Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907