Apache OpenOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 – LibreOffice.This CVE has a CVSS3.1 score of 8.1 and a Base Severity of HIGH.
| Info | Details |
|---|---|
| CVE ID | CVE-2022-37401 |
| CVE State | PUBLISHED |
| BaseScore | NA |
| BaseSeverity | NA |
| VectorString | NA |
| Version | NA |
References for CVE-2022-37401 :
https://www.openoffice.org/security/cves/CVE-2022-37401.html
http://www.openwall.com/lists/oss-security/2022/08/13/2
| Metric Type | Metric Score |
|---|---|
| AttackVector(AV) | NA |
| AttackComplexity(AC) | NA |
| PrivilegesRequired(PR) | NA |
| UserInteraction(UI) | NA |
| Scope(S) | NA |
| Confidentiality(C) | NA |
| Availability(A) | NA |
| Integrity(I) | NA |