{"id":"CVE-2022-26307","details":"LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.","modified":"2026-03-13T05:39:31.514233Z","published":"2022-07-25T15:15:09.410Z","related":["ALSA-2023:0089","ALSA-2023:0304","SUSE-SU-2022:3602-1","SUSE-SU-2022:3650-1","openSUSE-SU-2024:12452-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"},{"type":"ADVISORY","url":"https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/08/13/2"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"7.2.0"},{"fixed":"7.2.7"}]},{"events":[{"introduced":"7.3.0"},{"fixed":"7.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-26307.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}