Vulnerability Details : CVE-2022-26305
An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
Vulnerability category: Execute code
Products affected by CVE-2022-26305
- cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
- cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-26305
0.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-26305
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
NIST |
CWE ids for CVE-2022-26305
-
The product does not validate, or incorrectly validates, a certificate.Assigned by:
- nvd@nist.gov (Primary)
- security@documentfoundation.org (Secondary)
References for CVE-2022-26305
-
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305
CVE-2022-26305 | LibreOffice - Free Office Suite - Based on OpenOffice - Compatible with MicrosoftVendor Advisory
-
https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html
[SECURITY] [DLA 3368-1] libreoffice security update
Jump to