cnvd - cnvd-2020-33656

cnvd-2020-33656

Vulnerability from cnvd

Title: LibreOffice存在未明漏洞

Description:

LibreOffice是文档基金会（The Document Foundation，TDF）的一套开源的办公软件套件。该产品包含Writer（文本文档）、Calc（电子表格）和Impress（演示文稿）等应用程序。

LibreOffice 6.3.6之前的6.3.x版本和6.4.3之前的6.4.x版本中存在安全漏洞，攻击者可利用该漏洞获取信息。

Severity: 中

Patch Name: LibreOffice存在未明漏洞的补丁

Patch Description:

LibreOffice 6.3.6之前的6.3.x版本和6.4.3之前的6.4.x版本中存在安全漏洞，攻击者可利用该漏洞获取信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12801

Impacted products

Name
['LibreOffice LibreOffice 6.3.，<6.3.6', 'LibreOffice LibreOffice 6.4.，<6.4.3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-12801"
    }
  },
  "description": "LibreOffice\u662f\u6587\u6863\u57fa\u91d1\u4f1a\uff08The Document Foundation\uff0cTDF\uff09\u7684\u4e00\u5957\u5f00\u6e90\u7684\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u542bWriter\uff08\u6587\u672c\u6587\u6863\uff09\u3001Calc\uff08\u7535\u5b50\u8868\u683c\uff09\u548cImpress\uff08\u6f14\u793a\u6587\u7a3f\uff09\u7b49\u5e94\u7528\u7a0b\u5e8f\u3002\n\nLibreOffice 6.3.6\u4e4b\u524d\u76846.3.x\u7248\u672c\u548c6.4.3\u4e4b\u524d\u76846.4.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-33656",
  "openTime": "2020-06-19",
  "patchDescription": "LibreOffice\u662f\u6587\u6863\u57fa\u91d1\u4f1a\uff08The Document Foundation\uff0cTDF\uff09\u7684\u4e00\u5957\u5f00\u6e90\u7684\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u542bWriter\uff08\u6587\u672c\u6587\u6863\uff09\u3001Calc\uff08\u7535\u5b50\u8868\u683c\uff09\u548cImpress\uff08\u6f14\u793a\u6587\u7a3f\uff09\u7b49\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nLibreOffice 6.3.6\u4e4b\u524d\u76846.3.x\u7248\u672c\u548c6.4.3\u4e4b\u524d\u76846.4.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "LibreOffice\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "LibreOffice LibreOffice 6.3.*\uff0c\u003c6.3.6",
      "LibreOffice LibreOffice 6.4.*\uff0c\u003c6.4.3"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-12801",
  "serverity": "\u4e2d",
  "submitTime": "2020-05-19",
  "title": "LibreOffice\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2020-12801 (GCVE-0-2020-12801)

Vulnerability from cvelistv5

Published

2020-05-18 14:20

Modified

2024-11-18 17:29

Severity ?

CWE

CWE-311 - Missing Encryption of Sensitive Data

Summary

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3.

References

▼	URL	Tags
	https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801
	http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00011.html	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html	mailing-list

Impacted products

	Vendor	Product	Version
	The Document Foundation	LibreOffice	Version: 6-3 series < 6.3.6 Version: 6-4 series < 6.4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:04:22.875Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801"
          },
          {
            "name": "openSUSE-SU-2020:0786",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00011.html"
          },
          {
            "name": "[debian-lts-announce] 20231231 [SECURITY] [DLA 3703-1] libreoffice security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-12801",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-10T15:37:49.768784Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-18T17:29:42.515Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "6.3.6",
              "status": "affected",
              "version": "6-3 series",
              "versionType": "custom"
            },
            {
              "lessThan": "6.4.3",
              "status": "affected",
              "version": "6-4 series",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Tomas Florian \u003ctomas@armoreye.ca\u003e for raising awareness of the issue"
        }
      ],
      "datePublic": "2020-05-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice\u0027s default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "CWE-311 Missing Encryption of Sensitive Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-31T14:06:29.477186",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801"
        },
        {
          "name": "openSUSE-SU-2020:0786",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00011.html"
        },
        {
          "name": "[debian-lts-announce] 20231231 [SECURITY] [DLA 3703-1] libreoffice security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2020-12801",
    "datePublished": "2020-05-18T14:20:08.325905Z",
    "dateReserved": "2020-05-12T00:00:00",
    "dateUpdated": "2024-11-18T17:29:42.515Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted