Alpine: multiple libreoffice packages: security update to 7.2.2.2-r0

medium Tenable Cloud Security Plugin ID 426195

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to
7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but
results in ShellExecute attempting to launch an executable type. (CVE-2021-25631)

- LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual
aids that no alteration of the document occurred since the last signing and that the signature is valid.
An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally
signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the
document to combine multiple certificate data, which when opened caused LibreOffice to display a validly
signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document
Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. (CVE-2021-25633)

- LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual
aids that no alteration of the document occurred since the last signing and that the signature is valid.
An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to modify a digitally
signed ODF document to insert an additional signing time timestamp which LibreOffice would incorrectly
present as a valid signature signed at the bogus signing time. This issue affects: The Document Foundation
LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. (CVE-2021-25634)

- An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF
document, with a signature untrusted by the target, then modify it to change the signature algorithm to an
invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature
with an unknown algorithm as a valid signature issued by a trusted person This issue affects LibreOffice:
from 7.0 before 7.0.5, from 7.1 before 7.1.1. (CVE-2021-25635)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-25631

https://security.alpinelinux.org/vuln/CVE-2021-25632

https://security.alpinelinux.org/vuln/CVE-2021-25633

https://security.alpinelinux.org/vuln/CVE-2021-25634

https://security.alpinelinux.org/vuln/CVE-2021-25635

Plugin Details

Severity: Medium

ID: 426195

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 12/12/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-25631

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.2

Threat Score: 2.4

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2021-25635

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/15/2021

Reference Information

CVE: CVE-2021-25631, CVE-2021-25632, CVE-2021-25633, CVE-2021-25634, CVE-2021-25635