7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
74.7%
The version of LibreOffice installed on the remote Windows host is prior to 6.2.7 or 6.3.x prior to 6.3.1. It is, therefore, affected by the following vulnerabilities:
A directory traversal vulnerability resulting from a feature in LibreOffice which allows documents to specify pre-installed macros that can be executed on various script events. Only scripts under the ‘share/Scripts/python’ and /user/Scripts/python’ sub-directories of the LibreOffice install should be accessible. Previous protection to address CVE-2019-9852 to avoid a similar attack was added, however this protection can be bypassed due to a flaw in how LibreOffice assembles the final script URL location. This flaw can be exploited to allow scripts in arbitrary locations on the file system to be executed. (CVE-2019-9854)
An arbitrary script execution vulnerability caused by a flaw allowing event-based execution of Python scripts within a document. Previous protection was added to address this flaw, however due to a Windows 8.3 path equivalence flaw, Windows systems are still vulnerable via Windows filename pseudonyms. Note, LibreLogo must be installed for this vulnerability to be exploitable, however LibreLogo is frequently bundled with LibreOffice. (CVE-2019-9855)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(129535);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/19");
script_cve_id("CVE-2019-9854", "CVE-2019-9855");
script_xref(name:"IAVB", value:"2019-B-0078-S");
script_name(english:"LibreOffice < 6.2.7 / 6.3.x < 6.3.1 Multiple Vulnerabilities (Windows)");
script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by multiple
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of LibreOffice installed on the remote Windows host is prior to 6.2.7 or 6.3.x prior to 6.3.1. It is,
therefore, affected by the following vulnerabilities:
- A directory traversal vulnerability resulting from a feature in LibreOffice which allows documents to
specify pre-installed macros that can be executed on various script events. Only scripts under the
'share/Scripts/python' and /user/Scripts/python' sub-directories of the LibreOffice install should be
accessible. Previous protection to address CVE-2019-9852 to avoid a similar attack was added, however this
protection can be bypassed due to a flaw in how LibreOffice assembles the final script URL location. This
flaw can be exploited to allow scripts in arbitrary locations on the file system to be executed.
(CVE-2019-9854)
- An arbitrary script execution vulnerability caused by a flaw allowing event-based execution of Python
scripts within a document. Previous protection was added to address this flaw, however due to a Windows
8.3 path equivalence flaw, Windows systems are still vulnerable via Windows filename pseudonyms. Note,
LibreLogo must be installed for this vulnerability to be exploitable, however LibreLogo is frequently
bundled with LibreOffice. (CVE-2019-9855)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://www.libreoffice.org/about-us/security/advisories/cve-2019-9854/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?43a121e2");
# https://www.libreoffice.org/about-us/security/advisories/cve-2019-9855/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c323d2ce");
script_set_attribute(attribute:"solution", value:
"Upgrade to LibreOffice version 6.2.7, 6.3.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9855");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/06");
script_set_attribute(attribute:"patch_publication_date", value:"2019/09/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:libreoffice:libreoffice");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("libreoffice_installed.nasl");
script_require_keys("installed_sw/LibreOffice", "SMB/Registry/Enumerated");
exit(0);
}
include('vcf.inc');
get_kb_item_or_exit('SMB/Registry/Enumerated');
app_info = vcf::get_app_info(app:'LibreOffice');
constraints = [
{'fixed_version':'6.2.7'},
{'min_version':'6.3', 'fixed_version':'6.3.1'}];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
libreoffice | libreoffice | cpe:/a:libreoffice:libreoffice |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
74.7%