Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2017-3157

Published: 22 February 2017

By exploiting the way Apache OpenOffice before 4.1.4 renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to send the document back to the attacker. The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back.

Priority

Medium

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
openoffice.org
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Not vulnerable
(transitional packages)
trusty Does not exist

xenial Does not exist

yakkety Does not exist

libreoffice
Launchpad, Ubuntu, Debian
upstream Needs triage

precise
Released (1:3.5.7-0ubuntu13)
xenial
Released (1:5.1.6~rc2-0ubuntu1~xenial1)
yakkety Not vulnerable
(1:5.2.2-0ubuntu2)
trusty
Released (1:4.2.8-0ubuntu5)

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N