Security features bypass in LibreOffice - CVE-2021-25632

 

Security features bypass in LibreOffice - CVE-2021-25632

Published: May 18, 2021


Vulnerability identifier: #VU53333
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-25632
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreOffice
Affected software:
LibreOffice

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper input validation when processing hyperlinks in a document. A remote attacker can create a document with a specially crafted hyperlink, trick the victim into clicking the link, bypass implemented restrictions on extensions imposed by the denylist and execute arbitrary commands on the system.

Note, the vulnerability affects macOS installations only.

How to mitigate CVE-2021-25632

Install updates from vendor's website.

Sources