CVE-2010-0136 - Vulnerability Details - OpenCVE

OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Openoffice
Canonical	Ubuntu Linux
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:apache:openoffice:2.0.4:::::::*
	cpe:2.3:a:apache:openoffice:2.4.1:::::::*
	cpe:2.3:a:apache:openoffice:3.1.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:8.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:8.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:9.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:9.10:::::::*
	cpe:2.3:o:debian:debian_linux:4.0:::::::*
	cpe:2.3:o:debian:debian_linux:5.0:::::::*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://secunia.com/advisories/38695
http://secunia.com/advisories/38921
http://securitytracker.com/id?1023588
http://www.debian.org/security/2010/dsa-1995
http://www.mail-archive.com/debian-openoffice%40lists.debian.org/msg23178.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:221
http://www.securityfocus.com/bid/38245
http://www.ubuntu.com/usn/USN-903-1
http://www.vupen.com/english/advisories/2010/0635
http://www.vupen.com/english/advisories/2010/2905
https://nvd.nist.gov/vuln/detail/CVE-2010-0136
https://www.cve.org/CVERecord?id=CVE-2010-0136

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-02-16T19:00:00

Updated: 2024-08-07T00:37:54.087Z

Reserved: 2010-01-04T00:00:00

Link: CVE-2010-0136

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2010-02-16T19:30:00.610

Modified: 2025-04-11T00:51:21.963

Link: CVE-2010-0136

Redhat

Severity : Moderate

Publid Date: 2010-02-12T00:00:00Z

Links: CVE-2010-0136 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-02-12T00:00:00", "descriptions": [{"lang": "en", "value": "OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2010-03-26T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "MDVSA-2010:221", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:221"}, {"name": "38695", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/38695"}, {"name": "DSA-1995", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2010/dsa-1995"}, {"name": "1023588", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1023588"}, {"name": "USN-903-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-903-1"}, {"name": "SUSE-SA:2010:017", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html"}, {"name": "[debian-openoffice] 20100212 ./packages/openofficeorg/3.1.1/unstable r1866: merge 1:3.1.1-15+squeeze1", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.mail-archive.com/debian-openoffice%40lists.debian.org/msg23178.html"}, {"name": "ADV-2010-0635", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/0635"}, {"name": "38245", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/38245"}, {"name": "38921", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/38921"}, {"name": "ADV-2010-2905", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/2905"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-0136", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "MDVSA-2010:221", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:221"}, {"name": "38695", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38695"}, {"name": "DSA-1995", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2010/dsa-1995"}, {"name": "1023588", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1023588"}, {"name": "USN-903-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-903-1"}, {"name": "SUSE-SA:2010:017", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html"}, {"name": "[debian-openoffice] 20100212 ./packages/openofficeorg/3.1.1/unstable r1866: merge 1:3.1.1-15+squeeze1", "refsource": "MLIST", "url": "http://www.mail-archive.com/debian-openoffice@lists.debian.org/msg23178.html"}, {"name": "ADV-2010-0635", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0635"}, {"name": "38245", "refsource": "BID", "url": "http://www.securityfocus.com/bid/38245"}, {"name": "38921", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38921"}, {"name": "ADV-2010-2905", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/2905"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T00:37:54.087Z"}, "title": "CVE Program Container", "references": [{"name": "MDVSA-2010:221", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:221"}, {"name": "38695", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/38695"}, {"name": "DSA-1995", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2010/dsa-1995"}, {"name": "1023588", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1023588"}, {"name": "USN-903-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-903-1"}, {"name": "SUSE-SA:2010:017", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html"}, {"name": "[debian-openoffice] 20100212 ./packages/openofficeorg/3.1.1/unstable r1866: merge 1:3.1.1-15+squeeze1", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.mail-archive.com/debian-openoffice%40lists.debian.org/msg23178.html"}, {"name": "ADV-2010-0635", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/0635"}, {"name": "38245", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/38245"}, {"name": "38921", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/38921"}, {"name": "ADV-2010-2905", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/2905"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-0136", "datePublished": "2010-02-16T19:00:00", "dateReserved": "2010-01-04T00:00:00", "dateUpdated": "2024-08-07T00:37:54.087Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:openoffice:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8DA838CA-FC3A-4A53-A196-A00311A39DBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:openoffice:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "73261E25-D3AA-49CF-8066-09F47B0F99FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:openoffice:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "27C144F0-C27D-4E74-977C-D17971EB80D3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*", "matchCriteriaId": "7EBFE35C-E243-43D1-883D-4398D71763CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*", "matchCriteriaId": "4747CC68-FAF4-482F-929A-9DA6C24CB663", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*", "matchCriteriaId": "A5D026D0-EF78-438D-BEDD-FC8571F3ACEB", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*", "matchCriteriaId": "A2BCB73E-27BB-4878-AD9C-90C4F20C25A0", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "8C757774-08E7-40AA-B532-6F705C8F7639", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document."}, {"lang": "es", "value": "OpenOffice.org (OOo) V2.0.4, V2.4.1, y v3.1.1 no refuerza adecuadamente la configuraci\u00f3n de la macro de seguridad de Visual Basic para Aplicaciones (VBA), lo que permite a atacantes remotos correr macros de su elecci\u00f3n a trav\u00e9s de un documento manipulado."}], "id": "CVE-2010-0136", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2010-02-16T19:30:00.610", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/38695"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/38921"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://securitytracker.com/id?1023588"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2010/dsa-1995"}, {"source": "cve@mitre.org", "url": "http://www.mail-archive.com/debian-openoffice%40lists.debian.org/msg23178.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:221"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/38245"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-903-1"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2010/0635"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2010/2905"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/38695"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://secunia.com/advisories/38921"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://securitytracker.com/id?1023588"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2010/dsa-1995"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mail-archive.com/debian-openoffice%40lists.debian.org/msg23178.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:221"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/38245"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-903-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2010/0635"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2010/2905"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Not vulnerable. This issue did not affect the versions of openoffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5.", "lastModified": "2010-03-05T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}