CVE-2020-12802: remote graphics contained in docx format retrieved in 'stealth mode'
First published: Mon Jun 08 2020(Updated: )
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.
Credit: security@documentfoundation.org security@documentfoundation.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libreoffice Libreoffice | <6.4.4 | |
| Fedoraproject Fedora | =31 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/
- https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html
Frequently Asked Questions
What is CVE-2020-12802?
CVE-2020-12802 is a vulnerability in LibreOffice that allows remote resources to be included in a document even when the 'stealth mode' is enabled.
How does the 'stealth mode' in LibreOffice work?
The 'stealth mode' in LibreOffice allows only documents from trusted locations to retrieve remote resources.
Is CVE-2020-12802 a default mode in LibreOffice?
No, CVE-2020-12802 is not a default mode in LibreOffice but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document.
Which versions of LibreOffice are affected by CVE-2020-12802?
LibreOffice versions up to and excluding 6.4.4 are affected by CVE-2020-12802.
What is the severity of CVE-2020-12802?
CVE-2020-12802 has a severity value of 5.3, which is classified as medium.
What is the Common Weakness Enumeration (CWE) ID of CVE-2020-12802?
The CWE ID of CVE-2020-12802 is 200.
- collector/nvd-index
- agent/references
- agent/type
- agent/author
- agent/weakness
- agent/title
- agent/severity
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- vendor/libreoffice
- canonical/libreoffice libreoffice
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2