CVE-2022-38745

NameCVE-2022-38745
DescriptionApache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3526-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreoffice (PTS)bullseye1:7.0.4-4+deb11u10fixed
bullseye (security)1:7.0.4-4+deb11u12fixed
bookworm4:7.4.7-1+deb12u7fixed
bookworm (security)4:7.4.7-1+deb12u8fixed
trixie4:25.2.2-3fixed
sid4:25.2.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreofficesourcebuster1:6.1.5-3+deb10u10DLA-3526-1
libreofficesourcebullseye1:7.0.4-4+deb11u6
libreofficesource(unstable)1:7.3.1-1

Notes

https://cgit.freedesktop.org/libreoffice/core/commit/?id=5e8f64e50f97d39e83a3358697be14db03566878
https://www.libreoffice.org/about-us/security/advisories/CVE-2022-38745
Search for package or bug name: Reporting problems