This is an automated email from the ASF dual-hosted git repository.
marcus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/openoffice-org.git
commit 83f111534d297fbd7d738d1f016c229ac3fe997c
Author: Marcus
AuthorDate: Sun Aug 7 17:09:29 2022 +0200
Security Bulletin for the Apache OpenOffice 4.1.13 Release
---
content/security/cves/CVE-2022-37400.html | 90 +++
1 file changed, 90 insertions(+)
diff --git a/content/security/cves/CVE-2022-37400.html
b/content/security/cves/CVE-2022-37400.html
new file mode 100644
index 0..d188d8a78
--- /dev/null
+++ b/content/security/cves/CVE-2022-37400.html
@@ -0,0 +1,90 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
+http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
+
+
+CVE-2022-37400
+
+
+
+
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-37400";>CVE-2022-37400
+
+
+ https://www.openoffice.org/security/cves/CVE-2022-37400.html";>Apache
OpenOffice Advisory
+
+
+ Static Initialization Vector Allows to Recover Passwords for Web
Connections Without Knowing
+ the Master Password
+
+
+ Fixed in Apache OpenOffice 4.1.13
+
+
+ Description
+
+
+ Apache OpenOffice supports the storage of passwords for web connections
in the user's configuration
+ database. The stored passwords are encrypted with a single master key
provided by the user. A flaw in
+ OpenOffice existed where the required initialization vector for
encryption was always the same which
+ weakens the security of the encryption making them vulnerable if an
attacker has access to the user's
+ configuration data.
+
+
+ Severity: Moderate
+
+
+ There are no known exploits of this vulnerability.
+
+ A proof-of-concept demonstration exists.
+
+
+ Thanks to the reporter for discovering this issue.
+
+
+ Vendor: The Apache Software Foundation
+
+
+ Versions Affected
+
+
+ All Apache OpenOffice versions 4.1.12 and older are affected.
+
+ OpenOffice.org versions may also be affected.
+
+
+ Mitigation
+
+
+ Install Apache OpenOffice 4.1.13 for the latest maintenance and
cumulative security fixes.
+ Use the Apache OpenOffice https://www.openoffice.org/download/";> download page.
+
+
+ Acknowledgments
+
+
+ The Apache OpenOffice Security Team would like to thank Selma Jabour,
OpenSource Security GmbH,
+ Germany on behalf of the German Federal Office for Information Security,
for discovering and
+ reporting this attack vector
+
+
+ Further Information
+
+
+ For additional information and assistance, consult the
+ https://forum.openoffice.org/";>Apache OpenOffice Community
Forums
+ or make requests to the
+ mailto:us...@openoffice.apache.org";>us...@openoffice.apache.org
+ public mailing list.
+
+
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ https://www.openoffice.org/security/bulletin.html";>Bulletin
Archive page.
+
+
+
+ https://security.openoffice.org";>Security Home->
+ https://www.openoffice.org/security/bulletin.html";>Bulletin->
+ https://www.openoffice.org/security/cves/CVE-2022-37400.html";>CVE-2022-37400
+
+
+
