CVE-2022-26307

CWE-326CWE-312Cleartext Storage of Sensitive Info9 documents7 sources
Severity
8.8HIGH
EPSS
0.3%
top 47.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache Software Foundation Apache OpenofficeTHE Document Foundation LibreofficeLibreoffice Libreoffice+1 more
Timeline
PublishedJul 25
Latest updateOct 20

Description

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5the_document_foundation/libreoffice7.27.2.7+1
NVDlibreoffice/libreoffice7.2.07.2.7+1
Debianlibreoffice< 1:7.0.4-4+deb11u2+3
CVEListV5apache_software_foundation/apache_openofficeApache OpenOffice 44.1.13

Also affects: Debian Linux 10.0

🔴Vulnerability Details

4
OSV
libreoffice vulnerabilities2022-10-06
GHSA
GHSA-7p78-g262-f9rp: LibreOffice supports the storage of passwords for web connections in the user’s configuration database2022-07-26
OSV
CVE-2022-26307: LibreOffice supports the storage of passwords for web connections in the user’s configuration database2022-07-25
CVEList
Weak Master Keys2022-07-25

📋Vendor Advisories

4
Ubuntu
LibreOffice vulnerabilities2022-10-20
Ubuntu
LibreOffice vulnerabilities2022-10-06
Red Hat
libreoffice: Weak Master Keys2022-07-25
Debian
CVE-2022-26307: libreoffice - LibreOffice supports the storage of passwords for web connections in the user’s ...2022
CVE-2022-26307 (HIGH CVSS 8.8) | LibreOffice supports the storage of | cvebase.io