Bug 1201871 - (CVE-2022-26306) VUL-0: CVE-2022-26306: libreoffice: Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
(CVE-2022-26306)
VUL-0: CVE-2022-26306: libreoffice: Static Initialization Vector Allows to Re...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/338137/
CVSSv3.1:SUSE:CVE-2022-26306:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-26 09:48 UTC by Hu
Modified: 2022-09-16 07:32 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-26 09:48:12 UTC
CVE-2022-26306

LibreOffice supports the storage of passwords for web connections in the user’s
configuration database. The stored passwords are encrypted with a single master
key provided by the user. A flaw in LibreOffice existed where the required
initialization vector for encryption was always the same which weakens the
security of the encryption making them vulnerable if an attacker has access to
the user's configuration data. This issue affects: The Document Foundation
LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26306
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26306
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306
Comment 1 Hu 2022-07-26 09:48:30 UTC
Affected:
- SUSE:SLE-12-SP5:Update/libreoffice  7.2.5.1
- SUSE:SLE-15-SP3:Update/libreoffice  7.2.5.1

Not Affected:
- openSUSE:Factory/libreoffice        7.3.4.2
Comment 4 Gabriele Sonnu 2022-09-16 07:32:11 UTC
Done.