CVE-2024-6472

EUVD-2024-47565

05.08.2024, 13:15

Certificate Validation user interface in LibreOffice allows potential vulnerability.

Signed macros are scripts that have been digitally signed by the
developer using a cryptographic signature. When a document with a signed
macro is opened a warning is displayed by LibreOffice before the macro
is executed.

Previously if verification failed the user could fail to understand the failure and choose to enable the macros anyway.

This issue affects LibreOffice: from 24.2 before 24.2.5.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
libreoffice	libreoffice	24.2.0.0 ≤ 𝑥 < 24.2.5.1

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
the_document_foundation	libreoffice	24.2 ≤ 𝑥 < 24.2.5	ADP

Debian Releases

Debian Product

Codename

libreoffice

bookworm	4:7.4.7-1+deb12u9 fixed
bookworm (security)	4:7.4.7-1+deb12u8 fixed
bullseye	1:7.0.4-4+deb11u10 fixed
bullseye (security)	1:7.0.4-4+deb11u13 fixed
forky	4:25.8.4-1 fixed
sid	4:25.8.4-1 fixed
trixie	4:25.2.3-2+deb13u2 fixed

Ubuntu Releases

Ubuntu Product

Codename

libreoffice

focal	Fixed 1:6.4.7-0ubuntu0.20.04.11 released
jammy	Fixed 1:7.3.7-0ubuntu0.22.04.6 released
noble	Fixed 4:24.2.5-0ubuntu0.24.04.2 released

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472