CVE-2019-9852

Insufficient URL encoding flaw in allowed script location check

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

LibreOffice está comúnmente incorporada con LibreLogo, un script de gráficos específicos turtle programables, lo que puede ejecutar comandos arbitrarios de python contenidos con el documento desde que se inicia. Se agregó protección, para abordar el CVE-2019-9848, para bloquear las llamadas a LibreLogo desde los manejadores de script de eventos de documentos, p. ej. mouse over. Sin embargo, LibreOffice también presenta una funcionalidad separada en la que los documentos pueden especificar que los scripts preinstalados pueden ser ejecutados en varios eventos de script globales, tales como document-open, etc. Este problema afecta: Document Foundation LibreOffice versiones anteriores a 6.2.6

*Credits: Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-17 CVE Reserved
2019-08-15 CVE Published
2024-08-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-116: Improper Encoding or Escaping of Output

CAPEC

References (11)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html	Mailing List
https://seclists.org/bugtraq/2019/Aug/28	Issue Tracking
https://seclists.org/bugtraq/2019/Sep/17	Mailing List

URL	Date	SRC

URL	Date	SRC
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH	2023-11-07
https://usn.ubuntu.com/4102-1	2023-11-07
https://www.debian.org/security/2019/dsa-4501	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-9852	2020-04-28
https://bugzilla.redhat.com/show_bug.cgi?id=1744868	2020-04-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				29 Search vendor "Fedoraproject" for product "Fedora" and version "29"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.0 Search vendor "Opensuse" for product "Leap" and version "15.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Libreoffice Search vendor "Libreoffice"		Libreoffice Search vendor "Libreoffice" for product "Libreoffice"				< 6.2.6 Search vendor "Libreoffice" for product "Libreoffice" and version " < 6.2.6"		-		Affected