VDB

CVE-2022-26306

CVE-2022-26306 PUBLISHED

Reported by Document Fdn. · Published July 25, 2022

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

Affected Products

VendorProductVersions
The Document FoundationLibreOffice7.2, 7.3
The Document FoundationLibreOffice7.3, 7.2
alpinelibreoffice0, 0, 0

Timeline

  • Jul 25, 2022 CVE Published
  • Jul 26, 2022 EPSS Score
  • Sep 11, 2022 EPSS Score
  • Oct 27, 2022 EPSS Score
  • Dec 13, 2022 EPSS Score
  • Jan 28, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 16, 2023 EPSS Score
  • May 2, 2023 EPSS Score
  • Jun 17, 2023 EPSS Score
  • Aug 3, 2023 EPSS Score
  • Sep 19, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›