Date: prev next · Thread: first prev next last
2023 Archives by date, by thread · List index

tl;dr: upgrade to LibreOffice >= 7.2.6 or >= 7.3.1, (which was already

CVE-2022-38745: Empty entry in Java class path risks arbitrary code

Fixed in: LibreOffice 7.2.6/7.3.1


Most versions of LibreOffice support and contain components written in
Java. LibreOffice extends the existing Java class path with its own
internal classes.

In the affected versions of LibreOffice if the existing class path was
empty, then when Java class files are loaded, the current working
directory is searched for valid classes before using the embedded
versions. If an attacker sends a zip file containing a class file
alongside a document then depending on the file manager or other tool
used to open the zip file, navigate to the document and launch
LibreOffice to open it, then the current working directory of
LibreOffice may be the directory in which the class file exists, in
which case there is a risk that the arbitrary code of the class file
could be executed.

In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not
appended to the classpath

To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
Privacy Policy:


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.