CVE-2021-25636 : LibreOffice supports digital signatures of ODF documents and macros within docum

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.

Published 2022-02-24 15:15:22

Updated 2023-03-27 00:15:07

Source Document Foundation, The

View at NVD, CVE.org

Products affected by CVE-2021-25636

Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Libreoffice » Libreoffice
Versions from including (>=) 7.2.0 and before (<) 7.2.5
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-25636

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-25636

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-25636

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Assigned by: nvd@nist.gov (Primary)
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Assigned by: security@documentfoundation.org (Secondary)

References for CVE-2021-25636

https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html

[SECURITY] [DLA 3368-1] libreoffice security update

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NE6UIBCPZWRBWPSEGJOPNWPPT3CCMVH2/

[SECURITY] Fedora 34 Update: libreoffice-7.1.8.1-4.fc34 - package-announce - Fedora Mailing-Lists
https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636/

CVE-2021-25636 | LibreOffice - Free Office Suite - Based on OpenOffice - Compatible with Microsoft
Vendor Advisory

Jump to

Vulnerability Details : CVE-2021-25636

Products affected by CVE-2021-25636

Exploit prediction scoring system (EPSS) score for CVE-2021-25636

CVSS scores for CVE-2021-25636

CWE ids for CVE-2021-25636

References for CVE-2021-25636