CVE-2020-12801

Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save

Description

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3.

References

Link	Tags
https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801	vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00011.html	vendor advisory mailing list third party advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html	mailing list

Frequently Asked Questions

What is the severity of CVE-2020-12801?: CVE-2020-12801 has been scored as a medium severity vulnerability.
How to fix CVE-2020-12801?: To fix CVE-2020-12801, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-12801 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-12801 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-12801?: CVE-2020-12801 affects The Document Foundation LibreOffice.

Description

Categories

CWE-311 – Missing Encryption of Sensitive Data

CWE-312 – Cleartext Storage of Sensitive Information

References

Frequently Asked Questions