CVE-2022-3140

Macro URL arbitrary script execution

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.

LibreOffice es compatible con los esquemas URI de Office para permitir la integración del navegador de LibreOffice con el servidor de MS SharePoint. Ha sido añadido un esquema adicional "vnd.libreoffice.command" específico para LibreOffice. En versiones afectadas de LibreOffice los enlaces que usaban ese esquema podían construirse para llamar a macros internas con argumentos arbitrarios. Lo cual, cuando hacía clic en ellos, o eran activados mediante eventos del documento, podía resultar en una ejecución de scripts arbitrarios sin previo aviso. Este problema afecta a: Las versiones de LibreOffice 7.4 de Document Foundation anteriores a 7.4.1; versiones 7.3 anteriores a 7.3.6

A vulnerability was found in LibreOffice that affects the Office URI Schemes. These schemes enable browser integration of LibreOffice with the MS SharePoint server. In LibreOffice, the links using the scheme 'vnd.libreoffice.command' could be constructed to call internal macros with arbitrary arguments, which, when clicked, or activated by document events, could result in arbitrary script execution without warning. The attacker must trick the targeted individual into opening a malicious file to trigger the exploit.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LibreOffice. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of document files. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of the current process.

*Credits: TheSecurityDev working with Trend Micro Zero Day Initiative

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-06 CVE Reserved
2022-10-11 CVE Published
2024-07-30 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CAPEC

References (7)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TORANVTIWWBH3DNJR4UZATAG67KZOH32	2023-03-27
https://security.gentoo.org/glsa/202212-04	2023-03-27
https://www.debian.org/security/2022/dsa-5252	2023-03-27
https://www.libreoffice.org/about-us/security/advisories/CVE-2022-3140	2023-03-27
https://access.redhat.com/security/cve/CVE-2022-3140	2023-01-23
https://bugzilla.redhat.com/show_bug.cgi?id=2134697	2023-01-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libreoffice Search vendor "Libreoffice"		Libreoffice Search vendor "Libreoffice" for product "Libreoffice"				>= 7.3.0 < 7.3.6 Search vendor "Libreoffice" for product "Libreoffice" and version " >= 7.3.0 < 7.3.6"		-		Affected
Libreoffice Search vendor "Libreoffice"		Libreoffice Search vendor "Libreoffice" for product "Libreoffice"				7.4.0 Search vendor "Libreoffice" for product "Libreoffice" and version "7.4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected