CVE-2024-6472 (GCVE-0-2024-6472)

Vulnerability from cvelistv5 – Published: 2024-08-05 12:55 – Updated: 2024-08-05 14:32
VLAI?
Title
Ability to trust not validated macro signatures removed in high security mode
Summary
Certificate Validation user interface in LibreOffice allows potential vulnerability. Signed macros are scripts that have been digitally signed by the developer using a cryptographic signature. When a document with a signed macro is opened a warning is displayed by LibreOffice before the macro is executed. Previously if verification failed the user could fail to understand the failure and choose to enable the macros anyway. This issue affects LibreOffice: from 24.2 before 24.2.5.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
Vendor Product Version
The Document Foundation LibreOffice Affected: 24.2 , < 24.2.5 (24.2 series)
Create a notification for this product.
Credits
Thanks to OpenSource Security GmbH on behalf of the German Federal Office for Information Security
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "libreoffice",
            "vendor": "the_document_foundation",
            "versions": [
              {
                "lessThan": "24.2.5",
                "status": "affected",
                "version": "24.2",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6472",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-05T14:28:03.223479Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:32:48.640Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "24.2.5",
              "status": "affected",
              "version": "24.2",
              "versionType": "24.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks to OpenSource Security GmbH on behalf of the German Federal Office for Information Security"
        }
      ],
      "datePublic": "2024-08-05T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eCertificate Validation user interface in LibreOffice allows potential vulnerability.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eSigned macros are scripts that have been digitally signed by the \ndeveloper using a cryptographic signature. When a document with a signed\n macro is opened a warning is displayed by LibreOffice before the macro \nis executed.\u003cbr\u003e\u003cbr\u003ePreviously if verification failed the user could fail to understand the failure and choose to enable the macros anyway.\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects LibreOffice: from 24.2 before 24.2.5.\u003c/p\u003e"
            }
          ],
          "value": "Certificate Validation user interface in LibreOffice allows potential vulnerability.\n\n\n\n\nSigned macros are scripts that have been digitally signed by the \ndeveloper using a cryptographic signature. When a document with a signed\n macro is opened a warning is displayed by LibreOffice before the macro \nis executed.\n\nPreviously if verification failed the user could fail to understand the failure and choose to enable the macros anyway.\n\n\nThis issue affects LibreOffice: from 24.2 before 24.2.5."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-05T12:55:39.199Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Ability to trust not validated macro signatures removed in high security mode",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2024-6472",
    "datePublished": "2024-08-05T12:55:39.199Z",
    "dateReserved": "2024-07-03T09:26:27.358Z",
    "dateUpdated": "2024-08-05T14:32:48.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6472\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-05T14:28:03.223479Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:the_document_foundation:libreoffice:*:*:*:*:*:*:*:*\"], \"vendor\": \"the_document_foundation\", \"product\": \"libreoffice\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.2\", \"lessThan\": \"24.2.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-05T14:30:57.514Z\"}}], \"cna\": {\"title\": \"Ability to trust not validated macro signatures removed in high security mode\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thanks to OpenSource Security GmbH on behalf of the German Federal Office for Information Security\"}], \"impacts\": [{\"capecId\": \"CAPEC-21\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-21 Exploitation of Trusted Identifiers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"The Document Foundation\", \"product\": \"LibreOffice\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.2\", \"lessThan\": \"24.2.5\", \"versionType\": \"24.2 series\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-08-05T12:00:00.000Z\", \"references\": [{\"url\": \"https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Certificate Validation user interface in LibreOffice allows potential vulnerability.\\n\\n\\n\\n\\nSigned macros are scripts that have been digitally signed by the \\ndeveloper using a cryptographic signature. When a document with a signed\\n macro is opened a warning is displayed by LibreOffice before the macro \\nis executed.\\n\\nPreviously if verification failed the user could fail to understand the failure and choose to enable the macros anyway.\\n\\n\\nThis issue affects LibreOffice: from 24.2 before 24.2.5.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eCertificate Validation user interface in LibreOffice allows potential vulnerability.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eSigned macros are scripts that have been digitally signed by the \\ndeveloper using a cryptographic signature. When a document with a signed\\n macro is opened a warning is displayed by LibreOffice before the macro \\nis executed.\u003cbr\u003e\u003cbr\u003ePreviously if verification failed the user could fail to understand the failure and choose to enable the macros anyway.\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects LibreOffice: from 24.2 before 24.2.5.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"4fe7d05b-1353-44cc-8b7a-1e416936dff2\", \"shortName\": \"Document Fdn.\", \"dateUpdated\": \"2024-08-05T12:55:39.199Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-6472\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-05T14:32:48.640Z\", \"dateReserved\": \"2024-07-03T09:26:27.358Z\", \"assignerOrgId\": \"4fe7d05b-1353-44cc-8b7a-1e416936dff2\", \"datePublished\": \"2024-08-05T12:55:39.199Z\", \"assignerShortName\": \"Document Fdn.\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.