Security restrictions bypass in libreoffice (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-9849 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
libreoffice (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Security restrictions bypass
EUVDB-ID: #VU19225
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9849
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to incorrect implementation of stealth mode feature, intended as an additional level of security that allows to retrieve online content into document from trusted resources only. A remote attacker can create a specially crafted document with bullet graphics, bypass the intended security restrictions and make the application retrieve data from arbitrary external sources.
Install update from vendor's website.
Vulnerable software versionslibreoffice (Alpine package): 6.2.4.2-r0 - 6.2.7.1-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=21f16e773dfa5bdb7de40ef44927cb37ca05d6c3
http://git.alpinelinux.org/aports/commit/?id=e1bb2fed23c4ced50e06b6fb6f9f9a03f628fc72
http://git.alpinelinux.org/aports/commit/?id=b0081284ea36cbfdef2b4d3de343f33e450192b4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
