CVE-2024-5261 TLS certificate are not properly verified when utilizing LibreOfficeKit

2024-06-2512:44:24

CWE-295

Document Fdn.

www.cve.org

cve-2024-5261

libreofficekit

tls certificate

libreoffice

vulnerability

c/c++

curl

certification

verification

libreoffice

10 High

CVSS4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Improper Certificate Validation vulnerability in LibreOffice “LibreOfficeKit” mode disables TLS certification verification

LibreOfficeKit can be used for accessing LibreOffice functionality
through C/C++. Typically this is used by third party components to reuse
LibreOffice as a library to convert, view or otherwise interact with
documents.

LibreOffice internally makes use of “curl” to fetch remote resources such as images hosted on webservers.

In
affected versions of LibreOffice, when used in LibreOfficeKit mode
only, then curl’s TLS certification verification was disabled
(CURLOPT_SSL_VERIFYPEER of false)

In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.

This issue affects LibreOffice before version 24.2.4.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "LibreOffice",
    "vendor": "The Document Foundation",
    "versions": [
      {
        "lessThan": "24.2.4",
        "status": "affected",
        "version": "24.2",
        "versionType": "24.2 series"
      }
    ]
  }
]