CVE-2022-39843 — HIGH (7.8)

Vulnerability Description

123elf Lotus 1-2-3 before 1.0.0rc3 for Linux, and Lotus 1-2-3 R3 for UNIX and other platforms through 9.8.2, allow attackers to execute arbitrary code via a crafted worksheet. This occurs because of a stack-based buffer overflow in the cell format processing routines, as demonstrated by a certain function call from process_fmt() that can be reached via a w3r_format element in a wk3 document.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lotus 1-2-3 Project	Lotus 1-2-3	1.0.0
Linux	Linux Kernel	-

Related Weaknesses (CWE)

CWE-787

References

https://github.com/taviso/123elf/issues/103ExploitIssue TrackingThird Party Advisory
https://github.com/taviso/123elf/releases/tag/v1.0.0rc3Release NotesThird Party Advisory
https://github.com/taviso/123elf/issues/103ExploitIssue TrackingThird Party Advisory
https://github.com/taviso/123elf/releases/tag/v1.0.0rc3Release NotesThird Party Advisory

FAQ

What is CVE-2022-39843?

CVE-2022-39843 is a vulnerability with a CVSS score of 7.8 (HIGH). 123elf Lotus 1-2-3 before 1.0.0rc3 for Linux, and Lotus 1-2-3 R3 for UNIX and other platforms through 9.8.2, allow attackers to execute arbitrary code via a crafted worksheet. This occurs because of a...

How severe is CVE-2022-39843?

CVE-2022-39843 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39843?

Check the references section above for vendor advisories and patch information. Affected products include: Lotus 1-2-3 Project Lotus 1-2-3, Linux Linux Kernel.