Apache OpenOffice: Empty entry in Java class path
CVE-2022-38745

7.8HIGH

Key Information:

Vendor: Apache
Status: Apache Openoffice
Vendor: CVE Published:; 24 March 2023

Summary

A security configuration issue in Apache OpenOffice allows for the potential execution of arbitrary Java code from the current directory due to an empty entry being added to the Java class path. This could lead to security risks as malicious actors might exploit this vulnerability to run untrusted code in the context of the application. Users running versions before 4.1.14 are advised to upgrade to mitigate these risks.

Affected Version(s)

Apache OpenOffice 0 < 4.1.14

References

https://lists.apache.org/thread/q3noq7m681kvtb29m28x74q8c...

vendor-advisory

https://www.openoffice.org/security/cves/CVE-2022-38745.html

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 24, 2023
Vulnerability Reserved
Aug 25, 2022

Credit

European Commission's Open Source Programme Office