PT-2022-3942 · Document Foundation+9 · Libreoffice+9

Published

2022-03-22

·

Updated

2024-06-15

·

CVE-2022-26305

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions LibreOffice versions prior to 7.2.7 LibreOffice versions prior to 7.3.1
Description The issue is related to an Improper Certificate Validation vulnerability where LibreOffice only matches the serial number and issuer string of the used certificate with that of a trusted certificate to determine if a macro was signed by a trusted author. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate, which LibreOffice would present as belonging to the trusted author, potentially leading to the user executing arbitrary code contained in macros improperly trusted.
Recommendations For LibreOffice versions prior to 7.2.7, update to version 7.2.7 or later. For LibreOffice versions prior to 7.3.1, update to version 7.3.1 or later.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALSA-2023:0089
ALSA-2023:0304
ALT-PU-2022-1541
ALT-PU-2022-1591
ALT-PU-2022-1954
ALT-PU-2022-1986
ALT-PU-2022-2498
ALT-PU-2022-2551
BDU:2022-04771
CESA-2023_0089
CVE-2022-26305
DLA-3368-1
OPENSUSE-SU-2022_3650-1
OPENSUSE-SU-2024:12452-1
RHSA-2023:0089
RHSA-2023:0304
RHSA-2023_0089
RHSA-2023_0304
RLSA-2023:0089
RLSA-2023:0304
SUSE-SU-2022:3602-1
SUSE-SU-2022:3650-1
SUSE-SU-2022_3602-1
SUSE-SU-2022_3650-1
USN-5661-1
USN-5694-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Libreoffice
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu