CVE-2019-9854 : LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

Published 2019-09-06 19:15:12

Updated 2020-08-24 17:37:01

Source Document Foundation, The

View at NVD, CVE.org

Vulnerability category: Directory traversal

Exploit prediction scoring system (EPSS) score for CVE-2019-9854

Probability of exploitation activity in the next 30 days: 0.21%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 58 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-9854

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-9854

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-9854

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/

CVE-2019-9854 | LibreOffice - Free Office Suite - Fun Project - Fantastic People
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html

[security-announce] openSUSE-SU-2019:2183-1: moderate: Security update f
Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4138-1/

USN-4138-1: LibreOffice vulnerability | Ubuntu security notices
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html

[security-announce] openSUSE-SU-2019:2361-1: moderate: Security update f
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4519

Debian -- Security Information -- DSA-4519-1 libreoffice
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html

[SECURITY] [DLA 1947-1] libreoffice security update
Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2019/Sep/17

Bugtraq: [SECURITY] [DSA 4519-1] libreoffice security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1769907

1769907 – (CVE-2019-9854) CVE-2019-9854 libreoffice: unsafe URL assembly flaw in allowed script location check
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQKKOIY2DMZCXJINOLIQXD2NWISDKK3N/

[SECURITY] Fedora 29 Update: libreoffice-6.1.6.3-4.fc29 - package-announce - Fedora Mailing-Lists
Third Party Advisory

Products affected by CVE-2019-9854

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 29
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.0
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Libreoffice » Libreoffice
Versions from including (>=) 6.3.0 and before (<) 6.3.1
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
Matching versions
Libreoffice » Libreoffice
Versions from including (>=) 6.2.0 and before (<) 6.2.7
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2019-9854

Exploit prediction scoring system (EPSS) score for CVE-2019-9854

CVSS scores for CVE-2019-9854

CWE ids for CVE-2019-9854

References for CVE-2019-9854

Products affected by CVE-2019-9854