CVE-2020-12801Missing Encryption of Sensitive Data in Document Foundation Libreoffice

CWE-311Missing Encryption of Sensitive DataCWE-312Cleartext Storage of Sensitive Info8 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 59.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
THE Document Foundation LibreofficeLibreofficeOpensuse Leap
Timeline
PublishedMay 18
Latest updateOct 20

Description

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5the_document_foundation/libreoffice6-3 series6.3.6+1
NVDlibreoffice/libreoffice6.3.06.3.6+1
Debianlibreoffice/libreoffice< 1:6.4.3-1+3
NVDopensuse/leap15.1

🔴Vulnerability Details

4
OSV
libreoffice vulnerabilities2022-10-20
GHSA
GHSA-52g9-8355-62qv: If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted2022-05-24
OSV
CVE-2020-12801: If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted2020-05-18
CVEList
Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save2020-05-18

📋Vendor Advisories

3
Ubuntu
LibreOffice vulnerabilities2022-10-20
Red Hat
libreoffice: crash recovered MSOffice encrypted documents defaulted to not to using encryption on next save2020-05-28
Debian
CVE-2020-12801: libreoffice - If LibreOffice has an encrypted document open and crashes, that document is auto...2020
CVE-2020-12801 — Missing Encryption of Sensitive Data | cvebase