CVE-2020-12802

EUVD-2020-5085

08.06.2020, 16:15

LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Affected Products (NVD)

Vendor	Product	Version
libreoffice	libreoffice	𝑥 < 6.4.4
opensuse	leap	15.1
opensuse	leap	15.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libreoffice

bookworm	4:7.4.7-1+deb12u4 fixed
bookworm (security)	4:7.4.7-1+deb12u5 fixed
bullseye	1:7.0.4-4+deb11u10 fixed
bullseye (security)	1:7.0.4-4+deb11u11 fixed
jessie	ignored
sid	4:24.8.2-2 fixed
stretch	ignored
trixie	4:24.8.2-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

libreoffice

bionic	ignored
eoan	ignored
focal	Fixed 1:6.4.7-0ubuntu0.20.04.1 released
groovy	Fixed 1:6.4.4-0ubuntu1 released
hirsute	Fixed 1:6.4.4-0ubuntu1 released
impish	Fixed 1:6.4.4-0ubuntu1 released
jammy	Fixed 1:6.4.4-0ubuntu1 released
kinetic	Fixed 1:6.4.4-0ubuntu1 released
trusty	dne
xenial	ignored

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00042.html

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html

https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/

https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00042.html

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html

https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/

https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802