Detections
Analytics

Apache OpenOffice < 4.1.15 Multiple Vulnerabilities

high Nessus Plugin ID 187659

Language:

Synopsis

The remote Windows host has an application installed that is affected by multiple vulnerabilities.

Description

The version of Apache OpenOffice installed on the remote host is a version prior to 4.1.15. It is, therefore, affected by multiple vulnerabilities as stated in the vendor advisories and release notes.

 - Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of Apache OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. This is a corner case of 2022-47502. (CVE-2023-47804)

 - An attacker can craft an OBD containing a 'database/script' file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker. (CVE-2023-1183)

 - In Apache OpenOffice and LibreOffice embedded content will be opened automatically without that a warning is shown. (CVE-2012-5639)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache OpenOffice version 4.1.15 or later.

See Also

https://www.openoffice.org/security/cves/CVE-2023-47804.html

http://www.nessus.org/u?a8b539cd

https://www.openoffice.org/security/cves/CVE-2012-5639.html

https://www.openoffice.org/security/cves/CVE-2022-43680.html

https://www.openoffice.org/security/cves/CVE-2023-1183.html

Plugin Details

Severity: High

ID: 187659

File Name: openoffice_4115.nasl

Version: 1.2

Type: local

Agent: windows

Family: Windows

Published: 1/5/2024

Updated: 1/9/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2012-5639

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-47804

Vulnerability Information

CPE: cpe:/a:apache:openoffice

Required KB Items: installed_sw/OpenOffice

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/22/2023

Vulnerability Publication Date: 3/24/2023

Reference Information

CVE: CVE-2012-5639, CVE-2022-43680, CVE-2023-1183, CVE-2023-47804

IAVA: 2024-A-0001