CVE-2021-28129 — Improper Access Control in Software Foundation Apache Openoffice

CWE-284 — Improper Access Control CWE-269 — Improper Privilege Management3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 65.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Openoffice Apache Openoffice

Timeline

PublishedOct 7

Latest updateMay 24

Description

While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist. Users who installed the Apache OpenOffice 4.1.8 DEB packaging should upgrade to the latest version of Apache OpenOffice.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/openoffice4.1.8

▶CVEListV5apache_software_foundation/apache_openofficeApache OpenOffice 4.1.8

🔴Vulnerability Details

GHSA

GHSA-67cj-mh2q-5g8c: While working on Apache OpenOffice 4↗2022-05-24

▶

CVEList

DEB packaging for Apache OpenOffice 4.1.8 installed with a non-root userid and groupid↗2021-10-07

▶