製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenOffice.org における任意の Python コードを実行される脆弱性

Title	OpenOffice.org における任意の Python コードを実行される脆弱性
Summary	OpenOffice.org には、Python マクロセキュリティの制限を回避され、任意の Python コードを実行される脆弱性が存在します。
Possible impacts	攻撃者により、マクロのディレクトリ構造をプレビューされた際、コード実行の引き金となる巧妙に細工された OpenDocument テキストを介して、Python のマクロセキュリティの制限を回避され、任意のPython コードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 10, 2010, midnight
Registration Date	June 17, 2010, 6:34 p.m.
Last Update	June 17, 2010, 6:34 p.m.

CVSS2.0 : 危険
Score	9.3
Vector	AV:N/AC:M/Au:N/C:C/I:C/A:C

Affected System

レッドハット

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

RHEL Desktop Workstation 5 (client)

RHEL Optional Productivity Applications 5 (server)

OpenOffice.org Project

OpenOffice.org 2.x

OpenOffice.org 3.2.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2010-0395	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0395
National Vulnerability Database (NVD)
2	CVE-2010-0395	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0395
OpenOffice.org
3	CVE-2010-0395	http://www.openoffice.org/security/cves/CVE-2010-0395.html

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
OpenOffice.org
1	3.2.1	http://development.openoffice.org/releases/3.2.1.html
Red Hat Security Advisory
2	RHSA-2010:0459	https://rhn.redhat.com/errata/RHSA-2010-0459.html

その他

No	Name	URL
Secunia Advisory
1	SA40070	http://secunia.com/advisories/40070
SecurityFocus
2	40599	http://www.securityfocus.com/bid/40599
VUPEN Security
3	VUPEN/ADV-2010-1350	http://www.vupen.com/english/advisories/2010/1350

Change Log

No	Changed Details	Date of change
0	[2010年06月17日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2010-0395

Summary	OpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote attackers to bypass Python macro security restrictions and execute arbitrary Python code via a crafted OpenDocument Text (ODT) file that triggers code execution when the macro directory structure is previewed.
Publication Date	June 10, 2010, 9:30 a.m.
Registration Date	Jan. 29, 2021, 10:56 a.m.
Last Update	Feb. 8, 2022, 2:03 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:8.04::::-:::
cpe:2.3:o:canonical:ubuntu_linux:9.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:9.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:10.04::::-:::
cpe:2.3:o:debian:debian_linux:5.0:::::::*
cpe:2.3:o:debian:debian_linux:6.0:::::::*
cpe:2.3:o:fedoraproject:fedora:11:::::::*
cpe:2.3:o:fedoraproject:fedora:12:::::::*
cpe:2.3:o:fedoraproject:fedora:13:::::::*
cpe:2.3:o:opensuse:opensuse:11.0:::::::*
cpe:2.3:o:opensuse:opensuse:11.1:::::::*
cpe:2.3:o:opensuse:opensuse:11.2:::::::*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp3::::::
cpe:2.3:o:suse:linux_enterprise_desktop:11:-::::::

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:apache:openoffice::::::::		2.0.0			3.2.1

Related information, measures and tools

No	URL	refsource	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042468.html	FEDORA	Third Party Advisory
2	http://www.vupen.com/english/advisories/2010/1369	VUPEN	Broken Link
3	http://ubuntu.com/usn/usn-949-1	UBUNTU	Third Party Advisory
4	http://secunia.com/advisories/40084	SECUNIA	Broken Link
5	http://www.vupen.com/english/advisories/2010/1350	VUPEN	Broken Link Patch
6	http://secunia.com/advisories/40104	SECUNIA	Broken Link
7	http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042534.html	FEDORA	Third Party Advisory
8	https://bugzilla.redhat.com/show_bug.cgi?id=574119	CONFIRM	Issue Tracking Third Party Advisory
9	http://secunia.com/advisories/40070	SECUNIA	Broken Link
10	http://www.openoffice.org/security/cves/CVE-2010-0395.html	CONFIRM	Vendor Advisory
11	http://www.vupen.com/english/advisories/2010/1366	VUPEN	Broken Link
12	http://www.redhat.com/support/errata/RHSA-2010-0459.html	REDHAT	Broken Link
13	http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042529.html	FEDORA	Third Party Advisory
14	http://secunia.com/advisories/40107	SECUNIA	Broken Link
15	http://www.vupen.com/english/advisories/2010/1353	VUPEN	Broken Link
16	http://www.debian.org/security/2010/dsa-2055	DEBIAN	Third Party Advisory
17	http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html	SUSE	Third Party Advisory
18	http://www.us-cert.gov/cas/techalerts/TA10-287A.html	CERT	Third Party Advisory US Government Resource
19	http://www.mandriva.com/security/advisories?name=MDVSA-2010:221	MANDRIVA	Broken Link
20	http://www.vupen.com/english/advisories/2010/2905	VUPEN	Broken Link
21	http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml	GENTOO	Third Party Advisory
22	http://secunia.com/advisories/60799	SECUNIA	Broken Link
23	http://secunia.com/advisories/41818	SECUNIA	Broken Link
24	http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html	CONFIRM	Third Party Advisory
25	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11091	OVAL	Tool Signature

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:8.04::::-:::
cpe:2.3:o:canonical:ubuntu_linux:9.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:9.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:10.04::::-:::
cpe:2.3:o:debian:debian_linux:5.0:::::::*
cpe:2.3:o:debian:debian_linux:6.0:::::::*
cpe:2.3:o:fedoraproject:fedora:11:::::::*
cpe:2.3:o:fedoraproject:fedora:12:::::::*
cpe:2.3:o:fedoraproject:fedora:13:::::::*
cpe:2.3:o:opensuse:opensuse:11.0:::::::*
cpe:2.3:o:opensuse:opensuse:11.1:::::::*
cpe:2.3:o:opensuse:opensuse:11.2:::::::*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp3::::::
cpe:2.3:o:suse:linux_enterprise_desktop:11:-::::::