CVE-2022-38745

CWE-94 — Code Injection CWE-427 CWE-11887 documents7 sources

Severity

7.8HIGH

EPSS

0.1%

top 67.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Openoffice Apache Openoffice

Timeline

PublishedMar 24

Latest updateApr 17

Description

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/openoffice< 4.1.14

▶CVEListV5apache_software_foundation/apache_openoffice< 4.1.14

▶Debianlibreoffice< 1:7.0.4-4+deb11u6+3

🔴Vulnerability Details

GHSA

GHSA-w32v-x9j2-mv46: Apache OpenOffice versions before 4↗2023-03-24

▶

CVEList

Apache OpenOffice: Empty entry in Java class path↗2023-03-24

▶

OSV

CVE-2022-38745: Apache OpenOffice versions before 4↗2023-03-24

▶

📋Vendor Advisories

Ubuntu

LibreOffice vulnerability↗2023-04-17

▶

Red Hat

libreoffice: Empty entry in Java class path↗2023-03-24

▶

Debian

CVE-2022-38745: libreoffice - Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry...↗2022

▶