Updated libreoffice packages fix security vulnerability

2022-10-2902:32:51

Gentoo Foundation

advisories.mageia.org

libreoffice

security vulnerability

office uri schemes

browser integration

ms sharepoint

command scheme

arbitrary arguments

script execution

cve-2022-3140

unix

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS

0.002

Percentile

57.6%

JSON

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme ‘vnd.libreoffice.command’ specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. (CVE-2022-3140)

OSVersionArchitecturePackageVersionFilename
Mageia8noarchlibreoffice< 7.3.6.2-1libreoffice-7.3.6.2-1.mga8
Mageia8noarchlibmwaw< 0.3.21-1libmwaw-0.3.21-1.mga8