{"api_version":"1","generated_at":"2026-04-23T04:40:59+00:00","cve":"CVE-2008-3437","urls":{"html":"https://cve.report/CVE-2008-3437","api":"https://cve.report/api/cve/CVE-2008-3437.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2008-3437","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2008-3437"},"summary":{"title":"CVE-2008-3437","description":"OpenOffice.org (OOo) before 2.1.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.","state":"PUBLISHED","assigner":"mitre","published_at":"2008-08-01 14:41:00","updated_at":"2026-04-23 00:35:47"},"problem_types":["CWE-94","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://securitytracker.com/id?1020583","name":"http://securitytracker.com/id?1020583","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"OpenOffice Update Component Lack of Digital Signatures Lets Remote Users Install Arbitrary Code in Certain Cases - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html","name":"http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz","name":"http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"application/gzip","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf","name":"http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"application/pdf","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2008-3437","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-3437","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2008","cve_id":"3437","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openoffice","cpe5":"openoffice.org","cpe6":"1.1.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"3437","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openoffice","cpe5":"openoffice.org","cpe6":"2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"3437","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openoffice","cpe5":"openoffice.org","cpe6":"2.0.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"3437","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openoffice","cpe5":"openoffice.org","cpe6":"2.0.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"3437","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openoffice","cpe5":"openoffice.org","cpe6":"2.0.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[{"cvename":"CVE-2008-3437","organization":"Red Hat","lastmodified":"2008-08-04","contributor":"Tomas Hoger","statementText":"Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. The updated Red Hat Enterprise Linux packages are not distributed via the openoffice.org update service, but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates.","cve_year":"2008","cve_id":"3437","crc32":"e10140d6"}],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T09:37:26.904Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz"},{"name":"1020583","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://securitytracker.com/id?1020583"},{"name":"20080728 Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations","tags":["mailing-list","x_refsource_FULLDISC","x_transferred"],"url":"http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"OpenOffice.org (OOo) before 2.1.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2008-08-01T14:00:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf"},{"tags":["x_refsource_MISC"],"url":"http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz"},{"name":"1020583","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://securitytracker.com/id?1020583"},{"name":"20080728 Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations","tags":["mailing-list","x_refsource_FULLDISC"],"url":"http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2008-3437","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"OpenOffice.org (OOo) before 2.1.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf","refsource":"MISC","url":"http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf"},{"name":"http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz","refsource":"MISC","url":"http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz"},{"name":"1020583","refsource":"SECTRACK","url":"http://securitytracker.com/id?1020583"},{"name":"20080728 Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations","refsource":"FULLDISC","url":"http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2008-3437","datePublished":"2008-08-01T14:00:00.000Z","dateReserved":"2008-08-01T00:00:00.000Z","dateUpdated":"2024-09-16T19:30:38.697Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2008-08-01 14:41:00","lastModifiedDate":"2026-04-23 00:35:47","problem_types":["CWE-94","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openoffice:openoffice.org:1.1.5:*:*:*:*:*:*:*","matchCriteriaId":"E697B8A3-447B-4D7B-A02B-191119453CCB"},{"vulnerable":true,"criteria":"cpe:2.3:a:openoffice:openoffice.org:2.0:*:*:*:*:*:*:*","matchCriteriaId":"45DD57AC-8CA4-48DB-90F9-2D7260AB7650"},{"vulnerable":true,"criteria":"cpe:2.3:a:openoffice:openoffice.org:2.0.2:*:*:*:*:*:*:*","matchCriteriaId":"1C065AAB-58E3-4312-AD74-A3E103AC73DB"},{"vulnerable":true,"criteria":"cpe:2.3:a:openoffice:openoffice.org:2.0.3:*:*:*:*:*:*:*","matchCriteriaId":"9487A325-308D-442A-89A9-E8650925F43F"},{"vulnerable":true,"criteria":"cpe:2.3:a:openoffice:openoffice.org:2.0.4:*:*:*:*:*:*:*","matchCriteriaId":"D4B493F3-833A-47E9-AB60-BE2D635EF8AC"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2008","CveId":"3437","Ordinal":"1","Title":"CVE-2008-3437","CVE":"CVE-2008-3437","Year":"2008"},"notes":[{"CveYear":"2008","CveId":"3437","Ordinal":"1","NoteData":"OpenOffice.org (OOo) before 2.1.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.","Type":"Description","Title":"CVE-2008-3437"},{"CveYear":"2008","CveId":"3437","Ordinal":"2","NoteData":"2008-08-01","Type":"Other","Title":"Published"}]}}}