CVE-2022-26306

HIGH

LibreOffice 7.2.0-7.2.6 and 7.3.0 - Inadequate Encryption Strength in Stored Passwords

Title source: llm

Description

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

References (3)

Core 3

Core References

Mailing List, Third Party Advisory mailing-list

http://www.openwall.com/lists/oss-security/2022/08/13/1

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html

Vendor Advisory

https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306

Scores

CVSS v3 7.5

EPSS 0.0078

EPSS Percentile 51.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-326 CWE-330

Status published

Products (2)

debian/debian_linux 10.0

libreoffice/libreoffice 7.2.0 - 7.2.7

Published Jul 25, 2022

Tracked Since Feb 18, 2026