CVE-2022-38745
Published: 24 March 2023
Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.
Priority
Status
Package | Release | Status |
---|---|---|
libreoffice Launchpad, Ubuntu, Debian |
bionic |
Released
(1:6.0.7-0ubuntu0.18.04.13)
|
focal |
Released
(1:6.4.7-0ubuntu0.20.04.7)
|
|
jammy |
Not vulnerable
(1:7.3.7-0ubuntu0.22.04.2)
|
|
kinetic |
Not vulnerable
|
|
lunar |
Not vulnerable
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(1:7.3.1-1)
|
|
xenial |
Ignored
(end of standard support)
|
|
Patches: upstream: https://cgit.freedesktop.org/libreoffice/core/commit/?id=5e8f64e50f97d39e83a3358697be14db03566878 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |