CVE-2023-6185: Improper input validation enabling arbitrary Gstreamer pipeline injection

8.3 CVSS

Description

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins.

In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

Classification

CVE ID: CVE-2023-6185

CVSS Base Severity: HIGH

CVSS Base Score: 8.3

Affected Products

Vendor: The Document Foundation

Product: LibreOffice

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.27% (probability of being exploited)

EPSS Percentile: 67.68% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185
https://www.debian.org/security/2023/dsa-5574
https://lists.fedoraproject.org/archives/list/[email protected]/message/QB7UB6CTWQUDOE657OVVRSDYUY3IPBJG/
https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html

Timeline

2024-12-03 00:11:38 UTC
CVE

Improper input validation enabling arbitrary Gstreamer pipeline injection