Collabora Online Vulnerable to Arbitrary File Write
Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-23 | CWE-23: Relative Path Traversal |
Type: CWE
Description: CWE-23: Relative Path Traversal
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 4.0 | 8.3 | HIGH | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
Version: 4.0
Base score: 8.3
Base severity: HIGH
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N