Path Traversal Vulnerability in LibreOffice by The Document Foundation
CVE-2024-12425

2.4LOW

Key Information:

Vendor: The Document Foundation
Status: Libreoffice
Vendor: CVE Published:; 7 January 2025

🔔 Create The Document Foundation Vulnerability Alert

What is CVE-2024-12425?

CVE-2024-12425 is a vulnerability found in LibreOffice, an open-source productivity suite developed by The Document Foundation, designed to facilitate document creation and editing. This vulnerability revolves around a path traversal flaw that allows malicious actors to exploit the software by manipulating file paths. If successfully executed, attackers can write to arbitrary locations on a system, potentially leading to unauthorized access or data compromise. The impact of this vulnerability can severely threaten the confidentiality, integrity, and availability of user data, especially in organizational environments that rely on LibreOffice for critical operations.

Technical Details

The vulnerability is characterized as an improper limitation of a pathname to a restricted directory, which is a classic path traversal issue. Specifically, it allows attackers to provide files in formats that support embedded font files, enabling them to target and write to arbitrary locations on the host system, provided those locations end in ".ttf" (TrueType Font). The affected versions of LibreOffice include those from 24.8 to anything prior to 24.8.4. As of now, there are no reports of exploitation actively occurring in the wild.

Potential impact of CVE-2024-12425

Unauthorized Data Access: The exploitation of this vulnerability can lead to attackers gaining unauthorized access to sensitive information stored on the affected systems, resulting in potential data breaches.
System Integrity Compromise: Attackers can write files to arbitrary locations, which may allow them to place malicious files that compromise system integrity, leading to further exploitation or malware installation.
Impact on Organizational Operations: Organizations may experience disruptions in their operations, particularly if sensitive data is accessed or modified by unauthorized users, resulting in financial and reputational damage.

Affected Version(s)

LibreOffice 24.8

References

https://www.libreoffice.org/about-us/security/advisories/...

CVSS V4

Score:

2.4

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Dec 10, 2024

Credit

Thomas Rinsma of Codean Labs

JSON