CVE-2019-9852
published 2019-08-15CVE-2019-9852: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc…
PriorityP340high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
1.93%
77.5th percentile
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libreoffice | < libreoffice 1:6.3.0-1 (bookworm) | libreoffice 1:6.3.0-1 (bookworm) |
| debian | libreoffice | < libreoffice 1:6.3.1~rc2-1 (bookworm) | libreoffice 1:6.3.1~rc2-1 (bookworm) |
| document_foundation | libreoffice | >= 6.2 < 6.2.7 | 6.2.7 |
| document_foundation | libreoffice | >= 6.3 < 6.3.1 | 6.3.1 |
| fedoraproject | fedora | — | — |
| libreoffice | libreoffice | < 6.2.6 | 6.2.6 |
| libreoffice | libreoffice | >= 0 < 1:6.3.1~rc2-1 | 1:6.3.1~rc2-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.1~rc2-1 | 1:6.3.1~rc2-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.1~rc2-1 | 1:6.3.1~rc2-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.1~rc2-1 | 1:6.3.1~rc2-1 |
| libreoffice | libreoffice | >= 0 < 1:6.3.0-1 | 1:6.3.0-1 |
| libreoffice | libreoffice | >= 0 < 1:5.1.6~rc2-0ubuntu1~xenial9 | 1:5.1.6~rc2-0ubuntu1~xenial9 |
| libreoffice | libreoffice | >= 0 < 1:6.0.7-0ubuntu0.18.04.9 | 1:6.0.7-0ubuntu0.18.04.9 |
| libreoffice | libreoffice | >= 6.2.0 < 6.2.7 | 6.2.7 |
| libreoffice | libreoffice | >= 6.3.0 < 6.3.1 | 6.3.1 |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vgrf-j225-8963: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-9852 [HIGH] CWE-22 GHSA-vgrf-j225-8963: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
GHSA
GHSA-54x7-phmv-8vq8: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-9854 [HIGH] GHSA-54x7-phmv-8vq8: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This iss
OSV
CVE-2019-9854: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
osv·2019-09-06·CVSS 7.8
CVE-2019-9854 [HIGH] CVE-2019-9854: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This iss
OSV
libreoffice vulnerabilities
osv·2019-08-19·CVSS 9.8
CVE-2019-9850 [CRITICAL] libreoffice vulnerabilities
libreoffice vulnerabilities
It was discovered that LibreOffice incorrectly handled LibreLogo scripts.
If a user were tricked into opening a specially crafted document, a remote
attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9850,
CVE-2019-9851)
It was discovered that LibreOffice incorrectly handled embedded scripts in
document files. If a user were tricked into opening a specially crafted
document, a remote attacker could possibly execute arbitrary code.
(CVE-2019-9852)
OSV
CVE-2019-9852: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
osv·2019-08-15·CVSS 9.8
CVE-2019-9852 [CRITICAL] CVE-2019-9852: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Red Hat
libreoffice: Unsafe URL assembly flaw in allowed script location check
vendor_redhat·2019-09-06·CVSS 7.8
CVE-2019-9854 [HIGH] CWE-284 libreoffice: Unsafe URL assembly flaw in allowed script location check
libreoffice: Unsafe URL assembly flaw in allowed script location check
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to
Ubuntu
LibreOffice vulnerabilities
vendor_ubuntu·2019-08-19·CVSS 9.8
CVE-2019-9850 [CRITICAL] LibreOffice vulnerabilities
Title: LibreOffice vulnerabilities
Summary: Several security issues were fixed in LibreOffice.
It was discovered that LibreOffice incorrectly handled LibreLogo scripts.
If a user were tricked into opening a specially crafted document, a remote
attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9850,
CVE-2019-9851)
It was discovered that LibreOffice incorrectly handled embedded scripts in
document files. If a user were tricked into opening a specially crafted
document, a remote attacker could possibly execute arbitrary code.
(CVE-2019-9852)
Instructions: After a standard system update you need to restart LibreOffice to make all
the necessary changes.
Red Hat
libreoffice: Insufficient URL encoding flaw in allowed script location check
vendor_redhat·2019-08-15·CVSS 7.8
CVE-2019-9852 [HIGH] CWE-22 libreoffice: Insufficient URL encoding flaw in allowed script location check
libreoffice: Insufficient URL encoding flaw in allowed script location check
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior t
Debian
CVE-2019-9852: libreoffice - LibreOffice has a feature where documents can specify that pre-installed macros ...
vendor_debian·2019·CVSS 7.8
CVE-2019-9852 [HIGH] CVE-2019-9852: libreoffice - LibreOffice has a feature where documents can specify that pre-installed macros ...
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Scope: local
bookworm: resolved (fixed in 1:6.3.0-1)
bullseye: resolv
Debian
CVE-2019-9854: libreoffice - LibreOffice has a feature where documents can specify that pre-installed macros ...
vendor_debian·2019·CVSS 7.8
CVE-2019-9854 [HIGH] CVE-2019-9854: libreoffice - LibreOffice has a feature where documents can specify that pre-installed macros ...
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This iss
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-9854 libreoffice: Unsafe URL assembly flaw in allowed script location check
bugzilla·2019-11-07·CVSS 7.8
CVE-2019-9854 [HIGH] CVE-2019-9854 libreoffice: Unsafe URL assembly flaw in allowed script location check
CVE-2019-9854 libreoffice: Unsafe URL assembly flaw in allowed script location check
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path
Bugzilla
CVE-2019-9852 libreoffice: Insufficient URL encoding flaw in allowed script location check
bugzilla·2019-08-23·CVSS 7.8
CVE-2019-9852 [HIGH] CVE-2019-9852 libreoffice: Insufficient URL encoding flaw in allowed script location check
CVE-2019-9852 libreoffice: Insufficient URL encoding flaw in allowed script location check
A vulnerability was found in LibreOffice prior to 6.2.6. LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processin
Bugzilla
CVE-2019-9852 libreoffice: Insufficient URL encoding flaw in allowed script location check [fedora-all]
bugzilla·2019-08-23·CVSS 7.8
CVE-2019-9852 [HIGH] CVE-2019-9852 libreoffice: Insufficient URL encoding flaw in allowed script location check [fedora-all]
CVE-2019-9852 libreoffice: Insufficient URL encoding flaw in allowed script location check [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlhttps://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/https://seclists.org/bugtraq/2019/Aug/28https://seclists.org/bugtraq/2019/Sep/17https://usn.ubuntu.com/4102-1/https://www.debian.org/security/2019/dsa-4501https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlhttps://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/https://seclists.org/bugtraq/2019/Aug/28https://seclists.org/bugtraq/2019/Sep/17https://usn.ubuntu.com/4102-1/https://www.debian.org/security/2019/dsa-4501https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852
2019-08-15
Published