cbcvebase.
CVE-2018-16858
published 2019-03-25

CVE-2018-16858: It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros…

PriorityP178critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.55%
99.2th percentile
It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianlibreoffice< libreoffice 1:6.1.3-1 (bookworm)libreoffice 1:6.1.3-1 (bookworm)
debianlibreoffice< libreoffice 1:6.3.0-1 (bookworm)libreoffice 1:6.3.0-1 (bookworm)
document_foundationlibreoffice>= 6.2 < 6.2.76.2.7
document_foundationlibreoffice>= 6.3 < 6.3.16.3.1
document_foundationlibreoffice>= unspecified < 6.2.66.2.6
fedoraprojectfedora
libreofficelibreoffice< 6.2.66.2.6
libreofficelibreoffice< 6.0.76.0.7
libreofficelibreoffice>= 0 < 1:6.3.0-11:6.3.0-1
libreofficelibreoffice>= 0 < 1:6.1.3-11:6.1.3-1
libreofficelibreoffice>= 0 < 1:6.3.0-11:6.3.0-1
libreofficelibreoffice>= 0 < 1:6.1.3-11:6.1.3-1
libreofficelibreoffice>= 0 < 1:6.3.0-11:6.3.0-1
libreofficelibreoffice>= 0 < 1:6.1.3-11:6.1.3-1
libreofficelibreoffice>= 0 < 1:6.3.0-11:6.3.0-1
libreofficelibreoffice>= 0 < 1:6.1.3-11:6.1.3-1
libreofficelibreoffice>= 0 < 1:4.2.8-0ubuntu5.51:4.2.8-0ubuntu5.5
libreofficelibreoffice>= 0 < 1:5.1.6~rc2-0ubuntu1~xenial61:5.1.6~rc2-0ubuntu1~xenial6
libreofficelibreoffice>= 6.1.0 < 6.1.36.1.3

Detection & IOCsextracted from sources · hover to see the quote

filenamelibrefile.odt
path../../../program/python-core-3.5.5/lib/pydoc.py
filenamepydoc.py
pathdata/exploits/CVE-2018-16858/librefile.erb
  • The exploit delivers a malicious ODT (OpenDocument Text) file containing a mouse-over event that triggers code execution without any warning dialogue — hunt for ODT files with embedded script/macro event bindings referencing Python scripts via directory traversal paths.
  • The directory traversal payload targets pydoc.py's tempfilepager function to pass arguments to os.system. Detect macro event references containing '../' sequences pointing to pydoc.py inside ODT/ODF documents.
  • Malicious URLs in ODT documents may be rendered invisible by setting text color to match the document background — inspect ODT XML for hyperlinks with matching foreground/background color attributes.
  • CVE-2019-9852 is a URL-encoding bypass of the CVE-2018-16858 directory traversal fix — also detect percent-encoded traversal sequences (e.g., %2e%2e%2f) in LibreOffice macro script path references within documents.
  • ·The vulnerability is cross-platform (Linux, Windows, and macOS). The Metasploit module targets win/linux; macOS exploitation requires editing the PoC code.
  • ·The fix in 6.1.3.2 was later bypassed by CVE-2019-9852 via URL encoding; ensure patching extends to LibreOffice 6.2.6+ to address both vulnerabilities.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.