CVE-2019-9851 — CRITICAL (9.8)

Q: How severe is CVE-2019-9851?

CVE-2019-9851 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-9851?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap, Libreoffice Libreoffice.

Vulnerability Description

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	16.04
Debian	Debian Linux	8.0
Fedoraproject	Fedora	29
Opensuse	Leap	15.0
Libreoffice	Libreoffice	< 6.2.6

Related Weaknesses (CWE)

CWE-20

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-ExecutThird Party AdvisoryVDB Entry
https://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Aug/28Mailing ListThird Party Advisory
https://usn.ubuntu.com/4102-1/Third Party Advisory
https://www.debian.org/security/2019/dsa-4501Third Party Advisory
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-ExecutThird Party AdvisoryVDB Entry
https://lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Aug/28Mailing ListThird Party Advisory

FAQ

What is CVE-2019-9851?

CVE-2019-9851 is a vulnerability with a CVSS score of 9.8 (CRITICAL). LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection w...

How severe is CVE-2019-9851?

CVE-2019-9851 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-9851?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap, Libreoffice Libreoffice.