CVE-2024-12426: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables
First published: Tue Jan 07 2025(Updated: )
Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.
Credit: security@documentfoundation.org security@documentfoundation.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libreoffice | <=1:7.0.4-4+deb11u10<=4:7.4.7-1+deb12u5 | 1:7.0.4-4+deb11u12 4:7.4.7-1+deb12u6 4:24.8.4-1 4:24.8.4-2 |
| LibreOffice Draw | >24.8<24.8.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12426
- https://nvd.nist.gov/vuln/detail/CVE-2024-12426
- https://launchpad.net/bugs/cve/CVE-2024-12426
- https://security-tracker.debian.org/tracker/CVE-2024-12426
- https://ubuntu.com/security/CVE-2024-12426
- https://gerrit.libreoffice.org/c/core/+/176797
- https://gerrit.libreoffice.org/c/core/+/177987
- https://git.libreoffice.org/core/+/d6c89af2598e866aa9cb4fa3600691fb558befdb%5E%21
- https://git.libreoffice.org/core/+/b63aa51c55244ee67410201fa5e7c003427b1009%5E%21
- https://github.com/LibreOffice/core/commit/a22d185ef7d141676e8a4db15471bfe6d283cb8c
- https://github.com/LibreOffice/core/commit/4915889ab56bc946264c257391ba6eeedfdfad95
Frequently Asked Questions
What is the severity of CVE-2024-12426?
CVE-2024-12426 has a medium severity rating due to the potential exposure of sensitive information.
How do I fix CVE-2024-12426?
To mitigate CVE-2024-12426, update LibreOffice to versions 24.8.4 or later, or the specific patched Debian package versions.
What software is affected by CVE-2024-12426?
CVE-2024-12426 affects The Document Foundation LibreOffice versions up to 24.8.4.
What type of vulnerability is CVE-2024-12426?
CVE-2024-12426 is classified as an exposure vulnerability allowing unauthorized access to environmental variables and INI file values.
Who is impacted by CVE-2024-12426?
Users of The Document Foundation LibreOffice, particularly those using the vulnerable versions prior to the security updates, are at risk from CVE-2024-12426.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/event
- collector/nvd-cve
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/references
- agent/source
- agent/description
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/the document foundation
- canonical/libreoffice draw