Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4.
LibreOffice internally uses the curl library to download remote resources, such as images hosted on web servers. In vulnerable versions, when LibreOffice operated in LibreOfficeKit mode, the curl option CURLOPT_SSL_VERIFYPEER was set to false, which meant complete bypass of TLS server certificate verification. An attacker capable of performing a man-in-the-middle attack could impersonate any remote server without detection by the application. In patched versions, LibreOfficeKit mode operates identically to standard mode — with the CURLOPT_SSL_VERIFYPEER option enabled and set to true.
An attacker can perform a man-in-the-middle attack by intercepting or modifying resources downloaded by LibreOffice (e.g., remote images), and potentially inject malicious content into processed documents. The lack of server identity verification exposes the confidentiality and integrity of data transmitted over encrypted TLS connections.
LibreOffice should be updated to version 24.2.4 or newer, in which the CURLOPT_SSL_VERIFYPEER option is properly set to true also in LibreOfficeKit mode. Details are available in the vendor's security advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261
LibreOffice versions prior to 24.2.4, exclusively in LibreOfficeKit mode (used by external components using LibreOffice as a C/C++ library)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XLibreoffice
APPLibreoffice< 24.2.4
Related vulnerabilities
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execu...
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execu...
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execu...
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various do...
The get_app_path function in desktop/unx/source/start.c in LibreOffice through 6.0.5 mishandles the realpath f...