LibreOfficeKit Disables TLS Certification Verification in Affected Versions
CVE-2024-5261

Currently unrated

Key Information:

Vendor: The Document Foundation
Status: Libreoffice
Vendor: CVE Published:; 25 June 2024

🔔 Create The Document Foundation Vulnerability Alert

What is CVE-2024-5261?

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification

LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents.

LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers.

In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false)

In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.

This issue affects LibreOffice before version 24.2.4.

Affected Version(s)

LibreOffice 24.2 < 24.2.4

References

https://www.libreoffice.org/about-us/security/advisories/...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2024
Vulnerability Reserved
May 23, 2024

Credit

OpenSource Security GmbH

JSON