CVE-2019-9851

high-risk

Published 2019-08-15

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

Do I need to act?

85.8% chance of exploitation in next 30 days

EPSS score — higher than 14% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

47298

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (10)

Ubuntu Linux

Debian Linux

Fedora

Leap

Libreoffice

Affected Vendors

Debian Canonical Fedoraproject Opensuse Libreoffice

References (18)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html

Third Party Advisory http://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-Execut...

Mailing List https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Mailing List https://seclists.org/bugtraq/2019/Aug/28

Third Party Advisory https://usn.ubuntu.com/4102-1/

Third Party Advisory https://www.debian.org/security/2019/dsa-4501

Vendor Advisory https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851