CVE-2024-5261 (CVSS 10): LibreOffice Patches Critical Vulnerability in LibreOfficeKit
The Document Foundation, the organization behind the popular open-source office suite LibreOffice, has issued an urgent security advisory regarding a critical vulnerability (CVE-2024-5261) in its LibreOfficeKit component. This flaw could allow attackers to intercept or manipulate data transmitted between LibreOffice and remote servers, potentially exposing sensitive information.
LibreOfficeKit is a tool that allows C/C++ applications to access LibreOffice functionalities, enabling third-party components to leverage LibreOffice as a library for document conversion, viewing, and interaction. However, in the affected versions of LibreOffice, when used in LibreOfficeKit mode, the TLS certification verification was disabled. Specifically, curl’s option CURLOPT_SSL_VERIFYPEER was set to false, thereby bypassing crucial security checks for remote resources fetched via LibreOfficeKit.
This lapse in security means that when LibreOfficeKit accesses remote resources, such as images hosted on web servers, the authenticity of the TLS certificates was not verified. This oversight could allow malicious actors to intercept and manipulate these resources, leading to potential data breaches and other security incidents.
The vulnerability was discovered by OpenSource Security GmbH on behalf of the German Federal Office for Information Security and promptly reported to The Document Foundation. The fix was developed by Thorsten Behrens of allotropia, a long-time contributor to the LibreOffice project.
The CVE-2024-5261 vulnerability has been assigned a CVSSv4 score of 10, the highest possible severity rating, highlighting the urgency for users to apply the fix. The Document Foundation strongly recommends upgrading to LibreOffice version 24.2.4 or later, which includes the necessary patch to address this issue. In the fixed versions, curl operates in LibreOfficeKit mode with CURLOPT_SSL_VERIFYPEER set to true, ensuring that TLS certificates are properly verified, aligning with standard secure practices.
