CVE-2018-16858 - OpenCVE

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Libreoffice	Libreoffice

Configuration 1 [-]

OR	cpe:2.3:a:libreoffice:libreoffice::::::::
	cpe:2.3:a:libreoffice:libreoffice::::::::

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00059.html
http://packetstormsecurity.com/files/152560/LibreOffice-Macro-Code-Execution.html	Exploit Third Party Advisory VDB Entry
http://www.rapid7.com/db/modules/exploit/multi/fileformat/libreoffice_macro_exec	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2130
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16858	Issue Tracking Third Party Advisory
https://seclists.org/bugtraq/2019/Aug/28
https://www.exploit-db.com/exploits/46727/	Exploit Third Party Advisory VDB Entry
https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2019-03-25T17:43:08

Updated: 2019-08-18T15:06:07

Reserved: 2018-09-11T00:00:00

Link: CVE-2018-16858

JSON object: View

NVD Information

Status : Modified

Published: 2019-03-25T18:29:00.463

Modified: 2019-08-06T17:15:29.007

Link: CVE-2018-16858

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "libreoffice", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "6.0.7"}, {"status": "affected", "version": "6.1.3"}]}], "descriptions": [{"lang": "en", "value": "It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-356", "description": "CWE-356", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-08-18T15:06:07", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16858"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152560/LibreOffice-Macro-Code-Execution.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.rapid7.com/db/modules/exploit/multi/fileformat/libreoffice_macro_exec"}, {"name": "46727", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46727/"}, {"name": "RHSA-2019:2130", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2130"}, {"name": "20190815 [SECURITY] [DSA 4501-1] libreoffice security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Aug/28"}, {"name": "openSUSE-SU-2019:1929", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00059.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-16858", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libreoffice", "version": {"version_data": [{"version_value": "6.0.7"}, {"version_value": "6.1.3"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location."}]}, "impact": {"cvss": [[{"vectorString": "7.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-356"}]}]}, "references": {"reference_data": [{"name": "https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/", "refsource": "MISC", "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16858", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16858"}, {"name": "http://packetstormsecurity.com/files/152560/LibreOffice-Macro-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152560/LibreOffice-Macro-Code-Execution.html"}, {"name": "http://www.rapid7.com/db/modules/exploit/multi/fileformat/libreoffice_macro_exec", "refsource": "MISC", "url": "http://www.rapid7.com/db/modules/exploit/multi/fileformat/libreoffice_macro_exec"}, {"name": "46727", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46727/"}, {"name": "RHSA-2019:2130", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2130"}, {"name": "20190815 [SECURITY] [DSA 4501-1] libreoffice security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/28"}, {"name": "openSUSE-SU-2019:1929", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00059.html"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-16858", "datePublished": "2019-03-25T17:43:08", "dateReserved": "2018-09-11T00:00:00", "dateUpdated": "2019-08-18T15:06:07", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*", "matchCriteriaId": "3962F032-670C-45E8-8AF4-0D3CF08D7D3F", "versionEndExcluding": "6.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E9BC0F2-B5E0-4AE8-B5CD-B360A97D4273", "versionEndExcluding": "6.1.3", "versionStartIncluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location."}, {"lang": "es", "value": "Se ha observado que libreoffice en versiones anteriores a la 6.0.7 y 6.1.3 era vulnerable a ataques de salto de directorio que podr\u00edan ser usados para ejecutar macros arbitrarios incluidos en un documento. Un atacante podr\u00eda manipular un documento que, al ser abierto por LibreOffice, ejecute un m\u00e9todo Python desde un script en cualquier ubicaci\u00f3n arbitrara del sistema de archivos, especificada de forma relativa a la ubicaci\u00f3n de instalaci\u00f3n de LibreOffice."}], "id": "CVE-2018-16858", "lastModified": "2019-08-06T17:15:29.007", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2019-03-25T18:29:00.463", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00059.html"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152560/LibreOffice-Macro-Code-Execution.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.rapid7.com/db/modules/exploit/multi/fileformat/libreoffice_macro_exec"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:2130"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16858"}, {"source": "secalert@redhat.com", "url": "https://seclists.org/bugtraq/2019/Aug/28"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46727/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-356"}], "source": "secalert@redhat.com", "type": "Secondary"}]}