libreoffice libreoffice CVE-2022-26306 vulnerability in LibreOffice and Other Products
Published on July 25, 2022

Execution of Untrusted Macros Due to Improper Certificate Validation

product logo product logo product logo
LibreOffice supports the storage of passwords for web connections in the users configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

NVD

Weakness Type

Inadequate Encryption Strength

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.


Products Associated with CVE-2022-26306

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-26306 are published in these products:

LibreOffice
 
Canonical Ubuntu Linux
 
Debian Linux
 

Affected Versions

The Document Foundation LibreOffice:

Exploit Probability

EPSS
0.36%
Percentile
58.51%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.