VDB
CVE-2021-25636
CVE-2021-25636
PUBLISHED
LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.
EPSS 0.22% · 44.7th percentile
Risk Scores
EPSS Score
0.22%
44.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | libreoffice | *, *, 0 |
| Ubuntu:18.04:LTS | libreoffice | 1:5.4.1-0ubuntu3, 1:5.4.2-0ubuntu5, 1:6.0.2-0ubuntu1 |
Timeline
- Feb 22, 2022 CVE Published
- Feb 23, 2022 EPSS Score
- Apr 16, 2022 EPSS Score
- Jun 7, 2022 EPSS Score
- Jul 30, 2022 EPSS Score
- Sep 19, 2022 EPSS Score
- Nov 10, 2022 EPSS Score
- Jan 1, 2023 EPSS Score
- Feb 22, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 15, 2023 EPSS Score
- Jun 6, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-25636 third-party-advisory
- https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636 third-party-advisory
- https://ubuntu.com/security/notices/USN-5330-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-25636 third-party-advisory