Vulnerabilities > CVE-2019-9855 - Channel and Path Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2183.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129346 published 2019-09-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129346 title openSUSE Security Update : libreoffice (openSUSE-2019-2183) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2361.NASL description This update for libreoffice fixes the following issues: 	 Updated to version 6.2.7.1. Security issues fixed : - CVE-2019-9854: Fixed unsafe URL assembly flaw (bsc#1149944). - CVE-2019-9855: Fixed path equivalence handling flaw (bsc#1149943) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 130143 published 2019-10-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130143 title openSUSE Security Update : libreoffice (openSUSE-2019-2361) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2402-1.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129046 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129046 title SUSE SLED15 / SLES15 Security Update : libreoffice (SUSE-SU-2019:2402-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2401-1.NASL description This update for libreoffice to version 6.2.7.1 fixes the following issues : Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129045 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129045 title SUSE SLED12 Security Update : libreoffice (SUSE-SU-2019:2401-1) NASL family Windows NASL id LIBREOFFICE_631.NASL description The version of LibreOffice installed on the remote Windows host is prior to 6.2.7 or 6.3.x prior to 6.3.1. It is, therefore, affected by the following vulnerabilities: - A directory traversal vulnerability resulting from a feature in LibreOffice which allows documents to specify pre-installed macros that can be executed on various script events. Only scripts under the last seen 2020-06-01 modified 2020-06-02 plugin id 129535 published 2019-10-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129535 title LibreOffice < 6.2.7 / 6.3.x < 6.3.1 Multiple Vulnerabilities (Windows)