CVE-2022-37401: 
Homebrew vulnerability analysis and mitigation

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database, where stored passwords are encrypted with a single master key provided by the user. A vulnerability was discovered in versions prior to 4.1.13 where the master key was poorly encoded, resulting in weakening its entropy from 128 to 43 bits. This made the stored passwords vulnerable to a brute force attack if an attacker gained access to the user's stored configuration (OpenWall Advisory, OpenOffice Advisory).

The vulnerability (CVE-2022-37401) is characterized by insufficient entropy (CWE-331) in the master key encoding process. The flaw reduced the effective entropy of the master key from 128 bits to just 43 bits, significantly weakening the cryptographic protection of stored passwords. The vulnerability has a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD Database).

If exploited, this vulnerability could allow an attacker with access to the user's stored configuration to perform a brute force attack against the weakened master key. Upon successful key recovery, the attacker would gain access to all stored web connection passwords in the user's configuration database (OpenOffice Advisory).

The vulnerability was fixed in Apache OpenOffice version 4.1.13. Users are advised to upgrade to this version or later for the latest maintenance and cumulative security fixes. The update can be obtained through the official Apache OpenOffice download page (OpenOffice Advisory).