Cyber Resilience

CVE-2023-1183

Medium

Published: 10 July 2023

Published
10 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0731 91.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1183 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Libreoffice Libreoffice. Its CVSS base score is 5.0 (Medium).

Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-1183 is a path traversal flaw in the LibreOffice package that permits an attacker to supply a specially crafted .odb database file containing a "database/script" entry with a SCRIPT command. The command causes LibreOffice to write attacker-controlled content to an arbitrary file location on the local system. The issue is tracked under CWE-20 and CWE-22 and carries a CVSS 3.1 base score of 5.0 reflecting local attack vector, low complexity, and required user interaction.

An attacker with the ability to deliver a malicious .odb file to a target user can exploit the vulnerability when the file is opened in LibreOffice. Successful exploitation allows the attacker to overwrite or create files at a chosen path, resulting in high integrity impact without affecting confidentiality or availability.

Advisories published by LibreOffice, Red Hat, and the oss-security list recommend applying the vendor-supplied updates referenced in the CVE record. The associated EPSS score has remained flat at 0.0731 with no material increase since disclosure.

EU & UK References

Vulnerability details

A flaw was found in the Libreoffice package. An attacker can craft an odb containing a "database/script" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by…

more

the attacker.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

libreoffice
libreoffice
7.5.0 · ≤ 7.4.6
fedoraproject
fedora
38
redhat
enterprise linux
8.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-22

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References