Heap Overflow in Onlyoffice Document Server and Core Products
CVE-2022-29777

9.8CRITICAL

Key Information:

Vendor

Onlyoffice

Status
Core
Document Server
Vendor
CVE Published:
2 June 2022

What is CVE-2022-29777?

The vulnerability in Onlyoffice Document Server and Core products arises from a heap overflow, specifically in the DesktopEditor component's font conversion process. This issue, found in versions v6.0.0 and below for Document Server and 6.1.0.26 and below for Core, could potentially lead to unexpected behavior, including the possibility of unauthorized access or data manipulation. Users are encouraged to update to the latest versions to mitigate associated risks.

References

https://github.com/ONLYOFFICE/DocumentServer/blob/master/...
x_refsource_MISC
https://github.com/ONLYOFFICE/core/commit/b17d5e860f30e8b...
x_refsource_MISC
https://github.com/moehw/poc_exploits/tree/master/CVE-202...
x_refsource_MISC

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2022-29777 : Heap Overflow in Onlyoffice Document Server and Core Products