content/security/cves/CVE-2021-30245.html - openoffice-org - Git at Google

 <!DOCTYPE html>
 <html>
   <head>
     <title>CVE-2021-30245</title>
     <style type="text/css"></style>
   </head>

   <body>
     <p>
       <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30245">
       CVE-2021-30245
       </a>
     </p>
     <p>
       <a href="https://www.openoffice.org/security/cves/CVE-2021-30245.html">
       Apache OpenOffice Advisory
       </a>
     </p>
     <p style="text-align:center; font-size:largest">
       <strong>
         CVE-2021-30245 Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks
       </strong>
     </p>
     <p style="text-align:center; font-size:larger">
       <strong>
         Fixed in Apache OpenOffice 4.1.10
       </strong>
     </p>
     <p>
       <strong>
         Description
       </strong>
     </p>
     <p>
       Applications of the OpenOffice suite handle non-http(s) hyperlinks in an insecure way, allowing for 1-click code execution on Windows, Linux and macOS systems via malicious executable files hosted on internet-accessible file shares.
     </p>
     <p>
       <strong>
         Severity: Moderate
       </strong>
     </p>
     <p>
       There are no known exploits of this vulnerability.
       <br />
       A proof-of-concept demonstration exists.
     </p>
     <p>
       Thanks to the reporter for discovering this issue.
     </p>
     <p>
       <strong>
         Vendor: The Apache Software Foundation
       </strong>
     </p>
     <p>
       <strong>
         Versions Affected
       </strong>
     </p>
     <p>
       All Apache OpenOffice versions 4.1.9 and older are affected.
       <br />
       OpenOffice.org versions may also be affected.
     </p>
     <p>
       <strong>
         Mitigation
       </strong>
     </p>
     <p>
       Install Apache OpenOffice 4.1.10 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice
       <a href="https://www.openoffice.org/download/">
         download page
       </a>.
     </p>

     <p>
       <strong>
         Acknowledgments
       </strong>
     </p>
     <p>
       The Apache OpenOffice Security Team would like to thank Fabian Bräunlein and Lukas Euler of Positive Security for discovering and reporting this attack vector.
     </p>
     <p>
       <strong>
         Further Information
       </strong>
     </p>
     <p>
       For additional information and assistance, consult the
       <a href="https://forum.openoffice.org/">
         Apache OpenOffice Community Forums
       </a>
       or make requests to the
       <a href="mailto:users@openoffice.apache.org">
         users@openoffice.apache.org
       </a>
       public mailing list.
     </p>
     <p>
       The latest information on Apache OpenOffice security bulletins can be found at the
       <a href="https://www.openoffice.org/security/bulletin.html">
         Bulletin Archive page
       </a>.
     </p>
     <hr />
     <p>
       <a href="https://security.openoffice.org">
         Security Home
       </a>
       -&gt;
       <a href="https://www.openoffice.org/security/bulletin.html">
         Bulletin
       </a>
       -&gt;
       <a href="https://www.openoffice.org/security/cves/CVE-2021-30245.html">
         CVE-2021-30245
       </a>
     </p>
   </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<title>CVE-2021-30245</title>
	<style type="text/css"></style>
	</head>

	<body>
	<p>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30245">
	CVE-2021-30245
	</a>
	</p>
	<p>
	<a href="https://www.openoffice.org/security/cves/CVE-2021-30245.html">
	Apache OpenOffice Advisory
	</a>
	</p>
	<p style="text-align:center; font-size:largest">
	<strong>
	CVE-2021-30245 Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks
	</strong>
	</p>
	<p style="text-align:center; font-size:larger">
	<strong>
	Fixed in Apache OpenOffice 4.1.10
	</strong>
	</p>
	<p>
	<strong>
	Description
	</strong>
	</p>
	<p>
	Applications of the OpenOffice suite handle non-http(s) hyperlinks in an insecure way, allowing for 1-click code execution on Windows, Linux and macOS systems via malicious executable files hosted on internet-accessible file shares.
	</p>
	<p>
	<strong>
	Severity: Moderate
	</strong>
	</p>
	<p>
	There are no known exploits of this vulnerability.
	<br />
	A proof-of-concept demonstration exists.
	</p>
	<p>
	Thanks to the reporter for discovering this issue.
	</p>
	<p>
	<strong>
	Vendor: The Apache Software Foundation
	</strong>
	</p>
	<p>
	<strong>
	Versions Affected
	</strong>
	</p>
	<p>
	All Apache OpenOffice versions 4.1.9 and older are affected.
	<br />
	OpenOffice.org versions may also be affected.
	</p>
	<p>
	<strong>
	Mitigation
	</strong>
	</p>
	<p>
	Install Apache OpenOffice 4.1.10 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice
	<a href="https://www.openoffice.org/download/">
	download page
	</a>.
	</p>

	<p>
	<strong>
	Acknowledgments
	</strong>
	</p>
	<p>
	The Apache OpenOffice Security Team would like to thank Fabian Bräunlein and Lukas Euler of Positive Security for discovering and reporting this attack vector.
	</p>
	<p>
	<strong>
	Further Information
	</strong>
	</p>
	<p>
	For additional information and assistance, consult the
	<a href="https://forum.openoffice.org/">
	Apache OpenOffice Community Forums
	</a>
	or make requests to the
	<a href="mailto:users@openoffice.apache.org">
	users@openoffice.apache.org
	</a>
	public mailing list.
	</p>
	<p>
	The latest information on Apache OpenOffice security bulletins can be found at the
	<a href="https://www.openoffice.org/security/bulletin.html">
	Bulletin Archive page
	</a>.
	</p>
	<hr />
	<p>
	<a href="https://security.openoffice.org">
	Security Home
	</a>
	->
	<a href="https://www.openoffice.org/security/bulletin.html">
	Bulletin
	</a>
	->
	<a href="https://www.openoffice.org/security/cves/CVE-2021-30245.html">
	CVE-2021-30245
	</a>
	</p>
	</body>
	</html>