cnvd - cnvd-2022-55627

cnvd-2022-55627

Vulnerability from cnvd

Title: LibreOffice信任管理问题漏洞（CNVD-2022-55627）

Description:

LibreOffice是一套可与其他主要办公室软体相容的套件，可在各种平台上执行。

LibreOffice存在信任管理问题漏洞。攻击者可利用该漏洞通过操纵文档中的documentsignatures.xml或macrosignatures.xml流来组合多个证书数据，从而创建数字签名的ODF文档，打开时，会导致LibreOffice显示一个有效签名的指示器，但其内容与显示的签名无关。

Severity: 中

Patch Name: LibreOffice信任管理问题漏洞（CNVD-2022-55627）的补丁

Patch Description:

LibreOffice是一套可与其他主要办公室软体相容的套件，可在各种平台上执行。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633

Reference: https://www.debian.org/security/2021/dsa-4988

Impacted products

Name
['LibreOffice LibreOffice <7.0.6', 'LibreOffice LibreOffice <7.1.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-25633",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-25633"
    }
  },
  "description": "LibreOffice\u662f\u4e00\u5957\u53ef\u4e0e\u5176\u4ed6\u4e3b\u8981\u529e\u516c\u5ba4\u8f6f\u4f53\u76f8\u5bb9\u7684\u5957\u4ef6\uff0c\u53ef\u5728\u5404\u79cd\u5e73\u53f0\u4e0a\u6267\u884c\u3002\n\nLibreOffice\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u64cd\u7eb5\u6587\u6863\u4e2d\u7684documentsignatures.xml\u6216macrosignatures.xml\u6d41\u6765\u7ec4\u5408\u591a\u4e2a\u8bc1\u4e66\u6570\u636e\uff0c\u4ece\u800c\u521b\u5efa\u6570\u5b57\u7b7e\u540d\u7684ODF\u6587\u6863\uff0c\u6253\u5f00\u65f6\uff0c\u4f1a\u5bfc\u81f4LibreOffice\u663e\u793a\u4e00\u4e2a\u6709\u6548\u7b7e\u540d\u7684\u6307\u793a\u5668\uff0c\u4f46\u5176\u5185\u5bb9\u4e0e\u663e\u793a\u7684\u7b7e\u540d\u65e0\u5173\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-55627",
  "openTime": "2022-08-03",
  "patchDescription": "LibreOffice\u662f\u4e00\u5957\u53ef\u4e0e\u5176\u4ed6\u4e3b\u8981\u529e\u516c\u5ba4\u8f6f\u4f53\u76f8\u5bb9\u7684\u5957\u4ef6\uff0c\u53ef\u5728\u5404\u79cd\u5e73\u53f0\u4e0a\u6267\u884c\u3002\r\n\r\nLibreOffice\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u64cd\u7eb5\u6587\u6863\u4e2d\u7684documentsignatures.xml\u6216macrosignatures.xml\u6d41\u6765\u7ec4\u5408\u591a\u4e2a\u8bc1\u4e66\u6570\u636e\uff0c\u4ece\u800c\u521b\u5efa\u6570\u5b57\u7b7e\u540d\u7684ODF\u6587\u6863\uff0c\u6253\u5f00\u65f6\uff0c\u4f1a\u5bfc\u81f4LibreOffice\u663e\u793a\u4e00\u4e2a\u6709\u6548\u7b7e\u540d\u7684\u6307\u793a\u5668\uff0c\u4f46\u5176\u5185\u5bb9\u4e0e\u663e\u793a\u7684\u7b7e\u540d\u65e0\u5173\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "LibreOffice\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-55627\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "LibreOffice LibreOffice \u003c7.0.6",
      "LibreOffice LibreOffice \u003c7.1.2"
    ]
  },
  "referenceLink": "https://www.debian.org/security/2021/dsa-4988",
  "serverity": "\u4e2d",
  "submitTime": "2021-10-18",
  "title": "LibreOffice\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-55627\uff09"
}

CVE-2021-25633 (GCVE-0-2021-25633)

Vulnerability from cvelistv5

Published

2021-10-11 16:43

Modified

2024-09-16 18:28

Severity ?

CWE

CWE-295 - Improper Certificate Validation

Summary

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2.

References

▼	URL	Tags
	https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633	x_refsource_MISC
	https://www.debian.org/security/2021/dsa-4988	vendor-advisory, x_refsource_DEBIAN

Impacted products

	Vendor	Product	Version
	The Document Foundation	LibreOffice	Version: 7-0 < 7.0.6 Version: 7-1 < 7.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:11:27.676Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633"
          },
          {
            "name": "DSA-4988",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4988"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "7.0.6",
              "status": "affected",
              "version": "7-0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.1.2",
              "status": "affected",
              "version": "7-1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "NDS of Ruhr University Bochum"
        }
      ],
      "datePublic": "2021-10-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-17T10:06:21",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633"
        },
        {
          "name": "DSA-4988",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4988"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to 7.0.6 or 7.1.2 or 7.2.0"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Content Manipulation with Double Certificate Attack",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@documentfoundation.org",
          "DATE_PUBLIC": "2021-10-11T00:00:00.000Z",
          "ID": "CVE-2021-25633",
          "STATE": "PUBLIC",
          "TITLE": "Content Manipulation with Double Certificate Attack"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LibreOffice",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "7-0",
                            "version_value": "7.0.6"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "7-1",
                            "version_value": "7.1.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The Document Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "NDS of Ruhr University Bochum"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295 Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633",
              "refsource": "MISC",
              "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633"
            },
            {
              "name": "DSA-4988",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4988"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to 7.0.6 or 7.1.2 or 7.2.0"
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2021-25633",
    "datePublished": "2021-10-11T16:43:34.400173Z",
    "dateReserved": "2021-01-19T00:00:00",
    "dateUpdated": "2024-09-16T18:28:34.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted