Attacker Value

Unknown

Unsafe URL assembly flaw in allowed script location check

Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unsafe URL assembly flaw in allowed script location check

Disclosure Date: September 06, 2019 •

CVE-2019-9854 CVSS v3 Base Score: 7.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

canonical,
debian,
fedoraproject,
libreoffice,
opensuse,
redhat

Products

debian linux 10.0,
debian linux 8.0,
debian linux 9.0,
enterprise linux 7.0,
enterprise linux 8.0,
fedora 29,
leap 15.0,
leap 15.1,
libreoffice,
ubuntu linux 16.04,
ubuntu linux 18.04,
ubuntu linux 19.04

References

Canonical

CVE-2019-9854 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9854)

Advisory

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854

DSA-4519 (https://www.debian.org/security/2019/dsa-4519)

20190910 [SECURITY] [DSA 4519-1] libreoffice security update (https://seclists.org/bugtraq/2019/Sep/17)

FEDORA-2019-9627e1402e (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQKKOIY2DMZCXJINOLIQXD2NWISDKK3N)

USN-4138-1 (https://usn.ubuntu.com/4138-1)

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html

[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update (https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html)

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html

Rapid7

Unknown