Apache OpenOffice Missing Authorization Vulnerability Allows Unprompted Loading of External Links and Exfiltration of System Information
Vulnerability
A missing authorization vulnerability in Apache OpenOffice documents prior to version 4.1.16 allows external links to be loaded without user permission. This vulnerability can be exploited by crafting a document that includes certain URI schemes linking to external files. When opened, the document automatically retrieves the contents of these files, potentially exfiltrating sensitive system information such as environment variables or configuration settings. This issue also affects OpenOffice.org versions.
Impact
Exploitation of this vulnerability could lead to unauthorized access and transmission of sensitive system information, including INI file values and environment variables, to external sources.
Remediation
Users are advised to upgrade to Apache OpenOffice version 4.1.16, which addresses this vulnerability. The latest version can be downloaded from the Apache OpenOffice download page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.