Vulnerability Description
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Openoffice | < 4.1.13 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2022/08/13/1Mailing ListThird Party Advisory
- https://www.openoffice.org/security/cves/CVE-2022-37400.htmlPatchProduct
- http://www.openwall.com/lists/oss-security/2022/08/13/1Mailing ListThird Party Advisory
- https://www.openoffice.org/security/cves/CVE-2022-37400.htmlPatchProduct
FAQ
What is CVE-2022-37400?
CVE-2022-37400 is a vulnerability with a CVSS score of 8.8 (HIGH). Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw i...
How severe is CVE-2022-37400?
CVE-2022-37400 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-37400?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Openoffice.