Skip to content

Improper Certificate Validation vulnerability in...

Unreviewed Published Jun 25, 2024 to the GitHub Advisory Database • Updated Jun 25, 2024

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification

LibreOfficeKit can be used for accessing LibreOffice functionality
through C/C++. Typically this is used by third party components to reuse
LibreOffice as a library to convert, view or otherwise interact with
documents.

LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers.

In
affected versions of LibreOffice, when used in LibreOfficeKit mode
only, then curl's TLS certification verification was disabled
(CURLOPT_SSL_VERIFYPEER of false)

In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.

This issue affects LibreOffice before version 24.2.4.

References

Published by the National Vulnerability Database Jun 25, 2024
Published to the GitHub Advisory Database Jun 25, 2024
Last updated Jun 25, 2024

Severity

Unknown

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-5261

GHSA ID

GHSA-rvcj-9xfm-m9hr

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.