mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
a6755080ad
Our security scans for the released container image have flagged CVE-2023-7104. Our assessment is that this CVE doesn't affect Dangerzone, mainly because our understanding is that attackers cannot embed SQLite dbs within LibreOffice spreadsheets.
25 lines
1.1 KiB
YAML
25 lines
1.1 KiB
YAML
# This configuration file will be used to track CVEs that we can ignore for the
|
|
# latest release of Dangerzone, and offer our analysis.
|
|
|
|
ignore:
|
|
# CVE-2023-7104
|
|
# =============
|
|
#
|
|
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104
|
|
# Verdict: Dangerzone is not affected. The rationale is the following:
|
|
#
|
|
# 1. This CVE affects malicious/corrupted SQLite DBs.
|
|
# 2. Databases can be loaded either via LibreOffice Calc or Base. Files for
|
|
# the latter are not a valid input to Dangerzone.
|
|
# 3. Based on the LibreOffice Calc guide [1], users can only refer to
|
|
# external databases, not embed them in a spreadsheet.
|
|
# 4. The actual CVSS score for this vulnerability is High, according to
|
|
# NIST, not Critical.
|
|
#
|
|
# [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf:
|
|
#
|
|
# > The possible data sources for the pivot table are a Calc spreadsheet
|
|
# > or an external data source that is registered in LibreOffice. [...]
|
|
# > A registered data source is a connection to data held in a database
|
|
# > outside of LibreOffice.
|
|
- vulnerability: CVE-2023-7104
|