CVE-2024-6472

05.08.2024, 13:15

Certificate Validation user interface in LibreOffice allows potential vulnerability.

Signed macros are scripts that have been digitally signed by the
developer using a cryptographic signature. When a document with a signed
macro is opened a warning is displayed by LibreOffice before the macro
is executed.

Previously if verification failed the user could fail to understand the failure and choose to enable the macros anyway.

This issue affects LibreOffice: from 24.2 before 24.2.5.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Document Fdn.	CNA	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Debian Releases

Debian Product

Codename

libreoffice

bullseye	1:7.0.4-4+deb11u10 fixed
bullseye (security)	1:7.0.4-4+deb11u12 fixed
bookworm	4:7.4.7-1+deb12u8 fixed
bookworm (security)	4:7.4.7-1+deb12u8 fixed
sid	4:25.2.3-2 fixed
trixie	4:25.2.3-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

libreoffice

noble	Fixed 4:24.2.5-0ubuntu0.24.04.2 released
jammy	Fixed 1:7.3.7-0ubuntu0.22.04.6 released
focal	Fixed 1:6.4.7-0ubuntu0.20.04.11 released

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472