Privilege Escalation Vulnerability in Collabora Online's loolforkit
CVE-2021-25630

7.8HIGH

Key Information:

Vendor: Collabora Productivity
Status: Collabora Online; Libreoffice Online
Vendor: CVE Published:; 23 February 2021

🔔 Create Collabora Productivity Vulnerability Alert

What is CVE-2021-25630?

The 'loolforkit' component of Collabora Online has a flaw that allows non-privileged users to execute the program with elevated privileges. This occurs because the initial check intended to verify the user invoking the program is improperly implemented, failing to restrict unauthorized access. As a result, a normal user could potentially gain local root privileges, leading to serious security implications and unauthorized access to sensitive system components.

Affected Version(s)

Collabora Online Collabora Online 4.2 < 4.2.13

Collabora Online Collabora Online 6.4 < 6.4.3

LibreOffice Online <= 7.0.1.1

References

https://github.com/CollaboraOnline/online/security/adviso...

x_refsource_MISC

https://www.openwall.com/lists/oss-security/2021/01/18/3

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2021
Vulnerability Reserved
Jan 19, 2021

Credit

Thanks to Matthias Gerstner (SUSE) for raising the issue.

CVE-2021-25630 Data

JSON