CRITICAL🇵🇱 Wersja polska

CVE-2024-5261

CVSS 10.0v4.0pub. 2024-06-25upd. 2025-12-23

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4.

🤖 AI Analysis
How it works

LibreOffice internally uses the curl library to download remote resources, such as images hosted on web servers. In vulnerable versions, when LibreOffice operated in LibreOfficeKit mode, the curl option CURLOPT_SSL_VERIFYPEER was set to false, which meant complete bypass of TLS server certificate verification. An attacker capable of performing a man-in-the-middle attack could impersonate any remote server without detection by the application. In patched versions, LibreOfficeKit mode operates identically to standard mode — with the CURLOPT_SSL_VERIFYPEER option enabled and set to true.

Impact

An attacker can perform a man-in-the-middle attack by intercepting or modifying resources downloaded by LibreOffice (e.g., remote images), and potentially inject malicious content into processed documents. The lack of server identity verification exposes the confidentiality and integrity of data transmitted over encrypted TLS connections.

Mitigation & patch

LibreOffice should be updated to version 24.2.4 or newer, in which the CURLOPT_SSL_VERIFYPEER option is properly set to true also in LibreOfficeKit mode. Details are available in the vendor's security advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261

Who is affected

LibreOffice versions prior to 24.2.4, exclusively in LibreOfficeKit mode (used by external components using LibreOffice as a C/C++ library)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Libreoffice

    APP
    Libreoffice
    < 24.2.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2019-9855CRITICAL9.8ten sam produkt

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execu...

CVE-2019-9851CRITICAL9.8ten sam produkt

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execu...

CVE-2019-9850CRITICAL9.8ten sam produkt

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execu...

CVE-2019-9848CRITICAL9.8ten sam produkt

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various do...

CVE-2018-14939CRITICAL9.8ten sam produkt

The get_app_path function in desktop/unx/source/start.c in LibreOffice through 6.0.5 mishandles the realpath f...