Code Execution Vulnerability in Apache OpenOffice Installer for Windows
CVE-2016-6804

7.8HIGH

Key Information:

Vendor

Apache
Status
Apache Openoffice
Vendor
CVE Published:
20 November 2017

What is CVE-2016-6804?

The installer for Apache OpenOffice, particularly versions before 4.1.3 (including certain instances branded as OpenOffice.org), contains a serious flaw that permits the execution of arbitrary code with elevated privileges. This vulnerability is triggered when the installer is executed from a compromised directory where a malicious dynamic-link library file has been planted. Due to this design weakness, an attacker could leverage this exploitation method to gain unauthorized access and control over the affected system.

Affected Version(s)

Apache OpenOffice 4.0.0 to 4.1.2

Apache OpenOffice older releases are also affected, including some branded as OpenOffice.org

References

https://www.openoffice.org/security/cves/CVE-2016-6804.html
x_refsource_CONFIRM
http://www.securityfocus.com/bid/93774
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1037016
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.