CVE-2022-37401

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice

Published: Aug 15, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-37401
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-326
CWE-312
CWE-331

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
apache / openoffice	-	4.1.13

http://www.openwall.com/lists/oss-security/2022/08/13/2
https://www.openoffice.org/security/cves/CVE-2022-37401.html

Vulnerability Database

289,697

CVE-2022-37401