CVE-2024-5261: TLS certificate are not properly verified when utilizing LibreOfficeKit
First published: Tue Jun 25 2024(Updated: )
Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4.
Credit: security@documentfoundation.org security@documentfoundation.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/libreoffice | <4:7.6.7-0ubuntu0.23.10.3 | 4:7.6.7-0ubuntu0.23.10.3 |
| ubuntu/libreoffice | <4:24.2.4-0ubuntu0.24.04.2 | 4:24.2.4-0ubuntu0.24.04.2 |
| ubuntu/libreoffice | <4:24.2.4-1 | 4:24.2.4-1 |
| debian/libreoffice | 1:7.0.4-4+deb11u9 1:7.0.4-4+deb11u10 4:7.4.7-1+deb12u3 4:7.4.7-1+deb12u4 4:24.2.5-1 4:24.2.5-2 |
Remedy
https://cgit.freedesktop.org/libreoffice/core/commit/?id=fa4ceeb487f89671efc8bf533192bf237c35b51e
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261
- https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261/
- https://cgit.freedesktop.org/libreoffice/core/commit/?id=fa4ceeb487f89671efc8bf533192bf237c35b51e
- https://security-tracker.debian.org/tracker/CVE-2024-5261
- https://launchpad.net/bugs/cve/CVE-2024-5261
- https://www.cve.org/CVERecord?id=CVE-2024-5261
- https://ubuntu.com/security/notices/USN-6877-1
- https://nvd.nist.gov/vuln/detail/CVE-2024-5261
- https://ubuntu.com/security/CVE-2024-5261
Frequently Asked Questions
What is the severity of CVE-2024-5261?
CVE-2024-5261 has been classified as a high-severity vulnerability due to its potential impact on the confidentiality and integrity of data.
How do I fix CVE-2024-5261?
To address CVE-2024-5261, upgrade LibreOffice to a secure version, specifically to any of the remedied versions provided in the vendor advisory.
What systems are affected by CVE-2024-5261?
CVE-2024-5261 affects multiple LibreOffice versions on Ubuntu and Debian operating systems.
What is the nature of the vulnerability described in CVE-2024-5261?
CVE-2024-5261 is an improper certificate validation vulnerability that allows TLS certification verification to be disabled in LibreOfficeKit.
Are there workarounds for CVE-2024-5261?
No official workarounds are recommended for CVE-2024-5261; the best mitigation is to update to a patched version of LibreOffice.
- agent/weakness
- agent/title
- agent/type
- collector/nvd-api
- source/NVD
- agent/severity
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/event
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- collector/nvd-cve
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- agent/tags
- agent/source
- package-manager/ubuntu
- package-manager/debian