CVE-2022-26307

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.

Published: Jul 25, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-26307
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-312

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
libreoffice / libreoffice	7.2.0	7.2.7
libreoffice / libreoffice	7.3.0	7.3.3
debian / debian_linux	10.0	10.0.x

http://www.openwall.com/lists/oss-security/2022/08/13/2
https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307

Vulnerability Database

289,697

CVE-2022-26307