Information Disclosure in Apache OpenOffice by The Document Rendering Process
CVE-2017-3157

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Openoffice
Vendor
CVE Published:
20 November 2017

Summary

Apache OpenOffice prior to version 4.1.4 contains a vulnerability that allows an attacker to exploit the application’s handling of embedded objects. By creating a specially crafted document, the attacker can trick users into saving the document, leading to potential unauthorized access to sensitive files stored on the user's system. This issue relies on the user being manipulated into providing access by saving the malicious document, which might include hidden sections designed to retrieve information from the filesystem. Although the attacker must possess knowledge of the file path on the target system, the successful execution of this exploit poses a risk of data breaches.

Affected Version(s)

Apache OpenOffice 4.0.0 to 4.1.3, and some previous releases, including some using our old OpenOffice.org brand

References

https://access.redhat.com/errata/RHSA-2017:0914
vendor-advisoryx_refsource_REDHAT
https://www.debian.org/security/2017/dsa-3792
vendor-advisoryx_refsource_DEBIAN
http://www.securitytracker.com/id/1037893
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.