CVE-2022-26307

Weak Master Keys

EPSS 1.1%CWE-326

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

25 Jul 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.

Affected products

The Document Foundation · LibreOffice

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307 http://www.openwall.com/lists/oss-security/2022/08/13/2