CVE-2021-25636Improper Verification of Cryptographic Signature in Document Foundation Libreoffice

CWE-347Improper Verification of Cryptographic SignatureCWE-295Improper Certificate Validation7 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 60.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
THE Document Foundation LibreofficeLibreofficeFedoraproject Fedora
Timeline
PublishedFeb 24
Latest updateMar 15

Description

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5the_document_foundation/libreoffice7.27.2.5
NVDlibreoffice/libreoffice7.2.07.2.5
Debianlibreoffice/libreoffice< 1:7.0.4-4+deb11u2+3

Also affects: Fedora 34

🔴Vulnerability Details

3
GHSA
GHSA-3cgr-wxhv-h7xw: LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurr2022-02-25
OSV
CVE-2021-25636: LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurr2022-02-24
CVEList
Incorrect trust validation of signature with ambiguous KeyInfo children2022-02-22

📋Vendor Advisories

3
Ubuntu
LibreOffice vulnerability2022-03-15
Red Hat
libreoffice: Incorrect trust validation of signature with ambiguous KeyInfo children2022-02-22
Debian
CVE-2021-25636: libreoffice - LibreOffice supports digital signatures of ODF documents and macros within docum...2021
CVE-2021-25636 — HIGH severity | cvebase