fkie_nvd - fkie_cve-2025-2866

fkie_cve-2025-2866

Vulnerability from fkie_nvd

Published

2025-04-27 19:15

Modified

2025-07-03 21:26

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

References

▶	URL	Tags
	security@documentfoundation.org	https://www.libreoffice.org/about-us/security/advisories/cve-2025-2866	Vendor Advisory

Impacted products

Vendor	Product	Version
libreoffice	libreoffice	*
libreoffice	libreoffice	*
libreoffice	libreoffice	24.8.0.0
libreoffice	libreoffice	24.8.0.0
libreoffice	libreoffice	25.2.0.0
libreoffice	libreoffice	25.2.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD405BA2-8F34-4357-BAB8-318569954069",
              "versionEndExcluding": "24.8.6.0",
              "versionStartIncluding": "24.8.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "86D26ABF-BF83-4C25-A31B-B15B17B708E4",
              "versionEndExcluding": "25.2.2",
              "versionStartIncluding": "25.2.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:libreoffice:libreoffice:24.8.0.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "910F0BB3-ECA0-4338-B67B-A9BBD6FFDCB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:libreoffice:libreoffice:24.8.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "7A1C6BCA-6638-4925-A32B-217282923645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:libreoffice:libreoffice:25.2.0.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "CB7D3327-6D96-42FE-B4E2-0D6C44409D69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:libreoffice:libreoffice:25.2.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "E2AB7E83-11C6-4177-8796-57D476B24E1E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation.\n\n\n\n\nIn the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid\n\n\n\n\nThis issue affects LibreOffice: from 24.8 before \u003c 24.8.6, from 25.2 before \u003c 25.2.2."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de verificaci\u00f3n incorrecta de firma criptogr\u00e1fica en LibreOffice permite la suplantaci\u00f3n de firmas PDF mediante una validaci\u00f3n incorrecta. En las versiones afectadas de LibreOffice, una falla en el c\u00f3digo de verificaci\u00f3n de firmas adbe.pkcs7.sha1 podr\u00eda provocar que firmas no v\u00e1lidas se acepten como v\u00e1lidas. Este problema afecta a LibreOffice: desde la versi\u00f3n 24.8 hasta la 24.8.6, desde la versi\u00f3n 25.2 hasta la 25.2.2."
    }
  ],
  "id": "CVE-2025-2866",
  "lastModified": "2025-07-03T21:26:26.980",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.4,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security@documentfoundation.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-27T19:15:15.137",
  "references": [
    {
      "source": "security@documentfoundation.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2025-2866"
    }
  ],
  "sourceIdentifier": "security@documentfoundation.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "security@documentfoundation.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2025-2866 (GCVE-0-2025-2866)

Vulnerability from cvelistv5

Published

2025-04-27 19:04

Modified

2025-04-28 13:41

Severity ?

2.4 (Low) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Summary

References

►

URL

Tags

https://www.libreoffice.org/about-us/security/advisories/cve-2025-2866