CVE-2021-25631
published 2021-05-03CVE-2021-25631: In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating…
PriorityP351high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
4.17%
89.6th percentile
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libreoffice | — | — |
| libreoffice | libreoffice | >= 7.0.0 < 7.0.5 | 7.0.5 |
| libreoffice | libreoffice | >= 7.1.0 < 7.1.2 | 7.1.2 |
| the_document_foundation | libreoffice | >= 7.0 < 7.0.5 | 7.0.5 |
| the_document_foundation | libreoffice | >= 7.1 < 7.1.2 | 7.1.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8xj5-7228-hcfg: In the LibreOffice 7-1 series in versions prior to 7
ghsa_unreviewed·2022-05-24
CVE-2021-25631 [HIGH] GHSA-8xj5-7228-hcfg: In the LibreOffice 7-1 series in versions prior to 7
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type.
Debian
CVE-2021-25631: libreoffice - In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series ...
vendor_debian·2021·CVSS 8.8
CVE-2021-25631 [HIGH] CVE-2021-25631: libreoffice - In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series ...
In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-03
Published