cnvd - cnvd-2019-31195

cnvd-2019-31195

Vulnerability from cnvd

Title: LibreOffice路径遍历漏洞

Description:

LibreOffice是文档基金会（The Document Foundation，TDF）的一套开源的办公软件套件。该产品包含Writer（文本文档）、Calc（电子表格）和Impress（演示文稿）等应用程序。

LibreOffice 6.2.7之前的6.2版本和6.3.1之前的6.3版本中存在路径遍历漏洞，该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素，攻击者可利用该漏洞访问受限目录之外的位置。

Severity: 高

Patch Name: LibreOffice路径遍历漏洞的补丁

Patch Description:

LibreOffice 6.2.7之前的6.2版本和6.3.1之前的6.3版本中存在路径遍历漏洞，该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素，攻击者可利用该漏洞访问受限目录之外的位置。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/

Reference: https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/ https://www.debian.org/security/2019/dsa-4519 https://nvd.nist.gov/vuln/detail/CVE-2019-9854 https://www.auscert.org.au/bulletins/ESB-2019.3396/

Impacted products

Name
['The Document Foundation（TDF） LibreOffice 6.2.，<6.2.7', 'The Document Foundation（TDF） LibreOffice 6.3.，<6.3.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-9854"
    }
  },
  "description": "LibreOffice\u662f\u6587\u6863\u57fa\u91d1\u4f1a\uff08The Document Foundation\uff0cTDF\uff09\u7684\u4e00\u5957\u5f00\u6e90\u7684\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u542bWriter\uff08\u6587\u672c\u6587\u6863\uff09\u3001Calc\uff08\u7535\u5b50\u8868\u683c\uff09\u548cImpress\uff08\u6f14\u793a\u6587\u7a3f\uff09\u7b49\u5e94\u7528\u7a0b\u5e8f\u3002\n\nLibreOffice 6.2.7\u4e4b\u524d\u76846.2\u7248\u672c\u548c6.3.1\u4e4b\u524d\u76846.3\u7248\u672c\u4e2d\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u8d44\u6e90\u6216\u6587\u4ef6\u8def\u5f84\u4e2d\u7684\u7279\u6b8a\u5143\u7d20\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u9650\u76ee\u5f55\u4e4b\u5916\u7684\u4f4d\u7f6e\u3002",
  "discovererName": "RiceX",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-31195",
  "openTime": "2019-09-12",
  "patchDescription": "LibreOffice\u662f\u6587\u6863\u57fa\u91d1\u4f1a\uff08The Document Foundation\uff0cTDF\uff09\u7684\u4e00\u5957\u5f00\u6e90\u7684\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u542bWriter\uff08\u6587\u672c\u6587\u6863\uff09\u3001Calc\uff08\u7535\u5b50\u8868\u683c\uff09\u548cImpress\uff08\u6f14\u793a\u6587\u7a3f\uff09\u7b49\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nLibreOffice 6.2.7\u4e4b\u524d\u76846.2\u7248\u672c\u548c6.3.1\u4e4b\u524d\u76846.3\u7248\u672c\u4e2d\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u8d44\u6e90\u6216\u6587\u4ef6\u8def\u5f84\u4e2d\u7684\u7279\u6b8a\u5143\u7d20\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u9650\u76ee\u5f55\u4e4b\u5916\u7684\u4f4d\u7f6e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "LibreOffice\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "The Document Foundation\uff08TDF\uff09 LibreOffice  6.2.*\uff0c\u003c6.2.7",
      "The Document Foundation\uff08TDF\uff09 LibreOffice  6.3.*\uff0c\u003c6.3.1"
    ]
  },
  "referenceLink": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/\r\nhttps://www.debian.org/security/2019/dsa-4519\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9854\r\nhttps://www.auscert.org.au/bulletins/ESB-2019.3396/",
  "serverity": "\u9ad8",
  "submitTime": "2019-09-10",
  "title": "LibreOffice\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2019-9854 (GCVE-0-2019-9854)

Vulnerability from cvelistv5

Published

2019-09-06 18:30

Modified

2024-09-16 19:24

Severity ?

CWE

Unsafe URL assembly flaw in allowed script location check

Summary

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

References

▼	URL	Tags
	https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/	x_refsource_CONFIRM
	https://www.debian.org/security/2019/dsa-4519	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/Sep/17	mailing-list, x_refsource_BUGTRAQ
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQKKOIY2DMZCXJINOLIQXD2NWISDKK3N/	vendor-advisory, x_refsource_FEDORA
	https://usn.ubuntu.com/4138-1/	vendor-advisory, x_refsource_UBUNTU
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html	vendor-advisory, x_refsource_SUSE
	https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html	mailing-list, x_refsource_MLIST
	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html	vendor-advisory, x_refsource_SUSE

Impacted products

	Vendor	Product	Version
	Document Foundation	LibreOffice	Version: 6.2 < 6.2.7 Version: 6.3 < 6.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:01:55.131Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/"
          },
          {
            "name": "DSA-4519",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4519"
          },
          {
            "name": "20190910 [SECURITY] [DSA 4519-1] libreoffice security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/17"
          },
          {
            "name": "FEDORA-2019-9627e1402e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQKKOIY2DMZCXJINOLIQXD2NWISDKK3N/"
          },
          {
            "name": "USN-4138-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4138-1/"
          },
          {
            "name": "openSUSE-SU-2019:2183",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html"
          },
          {
            "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
          },
          {
            "name": "openSUSE-SU-2019:2361",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LibreOffice",
          "vendor": "Document Foundation",
          "versions": [
            {
              "lessThan": "6.2.7",
              "status": "affected",
              "version": "6.2",
              "versionType": "custom"
            },
            {
              "lessThan": "6.3.1",
              "status": "affected",
              "version": "6.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to RiceX(@ricex_cc) for reporting this issue"
        }
      ],
      "datePublic": "2019-09-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Unsafe URL assembly flaw in allowed script location check",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-22T05:03:54",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/"
        },
        {
          "name": "DSA-4519",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4519"
        },
        {
          "name": "20190910 [SECURITY] [DSA 4519-1] libreoffice security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/17"
        },
        {
          "name": "FEDORA-2019-9627e1402e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQKKOIY2DMZCXJINOLIQXD2NWISDKK3N/"
        },
        {
          "name": "USN-4138-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4138-1/"
        },
        {
          "name": "openSUSE-SU-2019:2183",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html"
        },
        {
          "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
        },
        {
          "name": "openSUSE-SU-2019:2361",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unsafe URL assembly flaw in allowed script location check",
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@documentfoundation.org",
          "DATE_PUBLIC": "2019-09-06T00:00:00.000Z",
          "ID": "CVE-2019-9854",
          "STATE": "PUBLIC",
          "TITLE": "Unsafe URL assembly flaw in allowed script location check"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LibreOffice",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "6.2",
                            "version_value": "6.2.7"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "6.3",
                            "version_value": "6.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Document Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to RiceX(@ricex_cc) for reporting this issue"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.7"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Unsafe URL assembly flaw in allowed script location check"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/",
              "refsource": "CONFIRM",
              "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/"
            },
            {
              "name": "DSA-4519",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4519"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4519-1] libreoffice security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Sep/17"
            },
            {
              "name": "FEDORA-2019-9627e1402e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQKKOIY2DMZCXJINOLIQXD2NWISDKK3N/"
            },
            {
              "name": "USN-4138-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4138-1/"
            },
            {
              "name": "openSUSE-SU-2019:2183",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html"
            },
            {
              "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
            },
            {
              "name": "openSUSE-SU-2019:2361",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2019-9854",
    "datePublished": "2019-09-06T18:30:08.910063Z",
    "dateReserved": "2019-03-17T00:00:00",
    "dateUpdated": "2024-09-16T19:24:19.650Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted