CVE-2021-25636

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions LibreOffice versions 7.2 prior to 7.2.5

Description The issue is related to improper certificate validation in LibreOffice, allowing an attacker to create a digitally signed ODF document by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document. This manipulation involves adding both X509Data and KeyValue children of the KeyInfo tag, causing LibreOffice to verify using the KeyValue but report verification with the unrelated X509Data value. This can enable an attacker to bypass security restrictions.

Recommendations For LibreOffice versions 7.2 prior to 7.2.5, update to version 7.2.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of digital signatures in ODF documents until the update is applied. Avoid using the X509Data and KeyValue parameters in the KeyInfo tag of the documentsignatures.xml or macrosignatures.xml stream within the document to minimize the risk of exploitation.

Fix

Improper Verification of Cryptographic Signature

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347CWE-295

Related Identifiers

ALSA-2022:7461

ALT-PU-2022-1061

ALT-PU-2022-1591

BDU:2022-02189

CESA-2022_7461

CVE-2021-25636

DLA-3368-1

OPENSUSE-SU-2022:0886-1

OPENSUSE-SU-2022_0886-1

RHSA-2022:7461

RHSA-2022_7461

RLSA-2022:7461

SUSE-SU-2022:0886-1

SUSE-SU-2022:1093-1

SUSE-SU-2022_0886-1

SUSE-SU-2022_1093-1

USN-5330-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Libreoffice

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2021-25636

Weakness Enumeration

Related Identifiers

Affected Products

References · 45