CVE-2022-3140
Last modified
CVE-2022-3140 is a medium-severity vulnerability rated 6.3/10 on the CVSS scale. LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. EPSS estimates a 4.35% chance of exploitation in the next 30 days.
Description
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Libreoffice | Libreoffice | >= 7.3.0, < 7.3.6 |
| Libreoffice | Libreoffice | 7.4.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 35 |
References
- https://security.gentoo.org/glsa/202212-04Third Party Advisory
- https://www.debian.org/security/2022/dsa-5252Third Party Advisory
- https://security.gentoo.org/glsa/202212-04Third Party Advisory
- https://www.debian.org/security/2022/dsa-5252Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-3140?
How severe is CVE-2022-3140?
How do I fix CVE-2022-3140?
Are you affected by CVE-2022-3140?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST