CVE-2023-2255
Published: 25 May 2023
Summary
CVE-2023-2255 is a medium-severity an unspecified weakness vulnerability in Libreoffice Libreoffice. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an improper access control flaw in the editor components of The Document Foundation LibreOffice. In affected versions, documents containing floating frames linked to external files would automatically load the contents of those frames without prompting the user for permission, unlike the handling of other linked content. This issue impacts LibreOffice 7.4 releases prior to 7.4.7 and 7.5 releases prior to 7.5.3.
An attacker can exploit the weakness by crafting a malicious document and distributing it to a target. When the recipient opens the file in an affected LibreOffice installation, external resources are fetched without user interaction or consent, resulting in limited integrity impact as reflected in the CVSS 5.3 score.
LibreOffice, Debian, and Gentoo advisories address the issue through updates that restore consistent prompting behavior for external frame content; users are advised to upgrade to the fixed releases.
EPSS for this CVE reached a peak of 0.5082 before receding to the current value of 0.4355.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33761
Vulnerability details
Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked…
more
to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.