CVE-2022-26306

Name
CVE-2022-26306
Description
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306
Mailing List http://www.openwall.com/lists/oss-security/2022/08/13/1
Mailing List https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:* libreoffice >= 7.2.0 < 7.2.7
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:* libreoffice >= 7.3.0 < 7.3.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status