Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
CVE-2022-37400

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Openoffice
Vendor: CVE Published:; 15 August 2022

Summary

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice

Affected Version(s)

Apache OpenOffice Apache OpenOffice 4 < 4.1.13

References

https://www.openoffice.org/security/cves/CVE-2022-37400.html

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/08/13/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 15, 2022
Vulnerability Reserved
Aug 4, 2022

Credit

OpenSource Security GmbH on behalf of the German Federal Office for Information Security