CVE-2022-3140

NameCVE-2022-3140
DescriptionLibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5252-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreoffice (PTS)buster1:6.1.5-3+deb10u7vulnerable
buster (security)1:6.1.5-3+deb10u4vulnerable
bullseye1:7.0.4-4+deb11u3vulnerable
bullseye (security)1:7.0.4-4+deb11u4fixed
bookworm, sid1:7.4.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreofficesourcebullseye1:7.0.4-4+deb11u4DSA-5252-1
libreofficesource(unstable)1:7.4.1~rc2-3

Notes

https://www.libreoffice.org/about-us/security/advisories/cve-2022-3140

Search for package or bug name: Reporting problems