CVE-2021-25635

CWE-295Improper Certificate Validation6 documents6 sources
Severity
5.2MEDIUM
EPSS
0.1%
top 84.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
THE Document Foundation LibreofficeLibreoffice LibreofficeApache Software Foundation Apache Openoffice
Timeline
PublishedMar 21

Description

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF document, with a signature untrusted by the target, then modify it to change the signature algorithm to an invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person This issue affects LibreOffice: from 7.0 before 7.0.5, from 7.1 before 7.1.1.

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

Affected Packages4 packages

CVEListV5the_document_foundation/libreoffice7.07.0.5+1
NVDlibreoffice/libreoffice7.0.07.0.5.1+1
Ubuntulibreoffice< 1:7.2.1-0ubuntu3
CVEListV5apache_software_foundation/apache_openofficeApache OpenOffice4.1.10+1

🔴Vulnerability Details

3
CVEList
Content Manipulation with Certificate Validation Attack2025-03-21
GHSA
GHSA-r73f-2rxh-prfm: An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF document, with a signature untrusted by the ta2025-03-21
OSV
CVE-2021-25635: An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF document, with a signature untrusted by the ta2025-03-21

📋Vendor Advisories

2
Red Hat
libreoffice: Content Manipulation with Certificate Validation Attack2021-10-11
Debian
CVE-2021-25635: libreoffice - An Improper Certificate Validation vulnerability in LibreOffice allowed an atta...2021
CVE-2021-25635 (MEDIUM CVSS 5.2) | An Improper Certificate Validation | cvebase.io