PT-2021-4646 · Document Foundation+9 · Libreoffice+9

Published

2021-05-17

Updated

2022-05-10

CVE-2021-25633

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions LibreOffice versions 7.0.0 through 7.0.5 LibreOffice versions 7.1.0 through 7.1.1

Description The issue is related to improper certificate validation in LibreOffice, allowing an attacker to manipulate the documentsignatures.xml or macrosignatures.xml stream within a document. This manipulation can cause LibreOffice to display a validly signed indicator for a document whose content is unrelated to the signature shown. The attacker can create a digitally signed ODF document by combining multiple certificate data.

Recommendations For LibreOffice versions 7.0.0 through 7.0.5, update to version 7.0.6 or later. For LibreOffice versions 7.1.0 through 7.1.1, update to version 7.1.2 or later. As a temporary workaround, consider restricting the use of digital signatures in LibreOffice until a patch is applied. Avoid opening documents with unknown or untrusted sources, especially those with digital signatures.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALSA-2022:1766

ALT-PU-2021-1816

ALT-PU-2021-1843

ALT-PU-2021-1847

ALT-PU-2021-2151

ALT-PU-2021-3043

ALT-PU-2021-3077

BDU:2021-05337

CESA-2022_1766

CVE-2021-25633

DSA-4988-1

MGASA-2021-0471

RHSA-2022:1766

RHSA-2022_1766

RLSA-2022:1766

USN-5153-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Libreoffice

Linuxmint

Red Hat

Red Os

Rocky Linux

Ubuntu

PT-2021-4646 · Document Foundation+9 · Libreoffice+9

CVE-2021-25633

Weakness Enumeration

Related Identifiers

Affected Products

References · 46