OpenSUSE Linux update for libreoffice



Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2020-12802
CVE-2020-12803
CWE-ID CWE-264
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Opensuse
Operating systems & Components / Operating system

Vendor SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU28799

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-12802

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions on remote graphic links loaded from docx documents, when LibreOffice has a 'stealth mode' enabled. A remote attacker can bypass implemented restriction and cause the application to load graphic links from untrused resources.

Mitigation

Update the affected packages.

Vulnerable software versions

Opensuse: 15.2

CPE2.3 External links

https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU28800

Risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-12803

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to insufficient validation of user-supplied input when processing submittable forms in ODF documents. LibreOffice allows to submit data to forms, available via the file:// URI. A remote attacker can create a specially crafted form, trick the victim into submitting it and overwrite arbitrary files on the system with privileges of the current user.

Mitigation

Update the affected packages.

Vulnerable software versions

Opensuse: 15.2

CPE2.3 External links

https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###