{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-14714","assignerOrgId":"4fe7d05b-1353-44cc-8b7a-1e416936dff2","state":"PUBLISHED","assignerShortName":"Document Fdn.","dateReserved":"2025-12-15T09:52:45.310Z","datePublished":"2025-12-15T10:30:55.796Z","dateUpdated":"2025-12-15T13:13:17.791Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unknown","platforms":["MacOS"],"product":"LibreOffice","vendor":"The Document Foundation","versions":[{"lessThan":"< 25.2.4","status":"affected","version":"25.2","versionType":"25.2 series"}]}],"credits":[{"lang":"en","type":"finder","value":"Karol Mazurek of AFINE"}],"datePublic":"2025-12-15T10:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions&nbsp;granted by the user to the main application bundle</div><div><br></div><div>By executing the bundled interpreter directly the attacker's scripts run with the application's TCC&nbsp;privileges</div><div><br></div><div>In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions</div><p>This issue affects LibreOffice on macOS: from 25.2 before &lt; 25.2.4.</p>"}],"value":"An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle\n\n\n\n\nBy executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges\n\n\n\n\nIn fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions\n\nThis issue affects LibreOffice on macOS: from 25.2 before < 25.2.4."}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"LOCAL","baseScore":0.9,"baseSeverity":"LOW","exploitMaturity":"UNREPORTED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-288","description":"CWE-288 Authentication Bypass Using an Alternate Path or Channel","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"4fe7d05b-1353-44cc-8b7a-1e416936dff2","shortName":"Document Fdn.","dateUpdated":"2025-12-15T10:30:55.796Z"},"references":[{"url":"https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714"}],"source":{"discovery":"EXTERNAL"},"title":"TCC Bypass via Inherited Permissions in Bundled Interpreter","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-15T13:13:04.911133Z","id":"CVE-2025-14714","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-15T13:13:17.791Z"}}]}}