OpenOffice 4.1.0 Calc Command Injection

2014.08.23

Credit: Herbert

Risk: High

Local: Yes

Remote: No

CVE: CVE-2014-3524

CWE: CWE-78

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

CVE-2014-3524
OpenOffice Calc Command Injection Vulnerability

Severity: Important
Vendor: The Apache Software Foundation

Versions Affected:
	Apache OpenOffice 4.1.0 and older on Windows.
	OpenOffice.org versions may also be affected.

Description:
	The vulnerability allows command injection when loading Calc spreadsheets. Specially crafted documents can be used for command-injection attacks. Further exploits are possible but have not been verified.

Mitigation:
        Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1. Users who are unable to upgrade immediately should be cautious when opening untrusted documents.

Credits:
	The Apache OpenOffice security team credits Rohan Durve and James Kettle of Context Information Security as the discoverer of this flaw.

Herbert Darr
Member of the Apache OpenOffice Security Team

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

OpenOffice 4.1.0 Calc Command Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.