CVE-2024-5261 — Improper Certificate Validation in Document Foundation Libreoffice

CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

10.0CRITICALNVD

EPSS

0.5%

top 32.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Document Foundation Libreoffice Libreoffice

Timeline

PublishedJun 25

Latest updateJul 4

Description

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used i…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages3 packages

▶NVDlibreoffice/libreoffice< 24.2.4

▶CVEListV5the_document_foundation/libreoffice24.2 — 24.2.4

▶Debianlibreoffice/libreoffice< 4:24.2.4-1+1

🔴Vulnerability Details

OSV

CVE-2024-5261: Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used↗2024-06-25

▶

GHSA

GHSA-rvcj-9xfm-m9hr: Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used↗2024-06-25

▶

CVEList

TLS certificate are not properly verified when utilizing LibreOfficeKit↗2024-06-25

▶

📋Vendor Advisories

Ubuntu

LibreOffice vulnerability↗2024-07-04

▶

Debian

CVE-2024-5261: libreoffice - Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mo...↗2024

▶