CVE-2024-5261
TLS certificate are not properly verified when utilizing LibreOfficeKit
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification
LibreOfficeKit can be used for accessing LibreOffice functionality
through C/C++. Typically this is used by third party components to reuse
LibreOffice as a library to convert, view or otherwise interact with
documents.
LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers.
In
affected versions of LibreOffice, when used in LibreOfficeKit mode
only, then curl's TLS certification verification was disabled
(CURLOPT_SSL_VERIFYPEER of false)
In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.
This issue affects LibreOffice before version 24.2.4.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-05-23 CVE Reserved
- 2024-06-25 CVE Published
- 2024-06-26 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
- CAPEC-94: Adversary in the Middle (AiTM)
References (1)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| The Document Foundation Search vendor "The Document Foundation" | LibreOffice Search vendor "The Document Foundation" for product "LibreOffice" | >= 24.2.0 < 24.2.4 Search vendor "The Document Foundation" for product "LibreOffice" and version " >= 24.2.0 < 24.2.4" | en |
Affected
| ||||||