CVE-2024-12426

Published Jan 7, 2025

Last updated 3 months ago

CVSS medium 6.7

Overview

Description
Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.
Source
security@documentfoundation.org
NVD status
Analyzed
Products
libreoffice, debian_linux

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

security@documentfoundation.org
CWE-200
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. Critical Vulnerabilities in LibreOffice Expose Users to Security Risks Two critical vulnerabilities, identified as CVE-2024-12425 and CVE-2024-12426, have been discovered in LibreOffice, the widely used open-source office suite. These security flaws allow attackers to write http

    @PPHM_HackerNews

    11 Jun 2025

    67 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Exploiting LibreOffice (CVE-2024-12425 and CVE-2024-12426) https://t.co/VDO5CoXMtr https://t.co/st1TzrRQj8

    @secharvesterx

    21 Mar 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. LibreOfficeの脆弱性を悪用するPoCが公開(CVE-2024-12425,CVE-2024-12426) https://t.co/ePCuryaTff #izumino_trend

    @sec_trend

    19 Feb 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🔒 Atenção, usuários do LibreOffice! Vulnerabilidades críticas permitem execução de código arbitrário e manipulação de arquivos sensíveis. CVE-2024-12425 e CVE-2024-12426 podem comprometer suas informações. Atualize agora para se proteger!

    @IncursioHack

    19 Feb 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. LibreOfficeの脆弱性を悪用するPoCが公開(CVE-2024-12425,CVE-2024-12426) #セキュリティ #セキュリティ対策Lab https://t.co/KDxItn0Rl4

    @securityLab_jp

    19 Feb 2025

    17 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 Two critical vulnerabilities in LibreOffice (CVE-2024-12425 &amp; CVE-2024-12426) can be exploited via malicious documents, posing serious risks. Update to version 24.8.4 ASAP! 🔒 #LibreOffice #DataSecurity #USA link: https://t.co/FJwYyDokH8 https://t.co/zr7pEQP6xW

    @TweetThreatNews

    18 Feb 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. #LibreOffice: patches two #vulnerabilities allowing arbitrary file writes &amp; remote data extraction from environment variables &amp; configuration files. CVE-2024-12425 &amp; CVE-2024-12426 require no user interaction beyond opening a malicious document: 👇 🔗 https://t.co/p

    @StringsVsAtoms

    18 Feb 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. #LibreOffice: patches two #vulnerabilities allowing arbitrary file writes &amp; remote data extraction from environment variables &amp; configuration files. CVE-2024-12425 &amp; CVE-2024-12426 require no user interaction beyond opening a malicious document: 👇 https://t.co/vGSKI

    @securestep9

    18 Feb 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. LibreOffice Vulnerabilities (CVE-2024-12425 &amp; CVE-2024-12426): PoCs Released https://t.co/ehgycwRHSu

    @Dinosn

    18 Feb 2025

    2787 Impressions

    14 Retweets

    34 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  10. #exploit 1. CVE-2024-12425, CVE-2024-12426: LibreOffice Path Traversal https://t.co/6gInUfeAFA 2. CVE-2024-36412: Using XSS filters against XSS filters - Unexpected SQLI/RCE https://t.co/xh9NiHmgqa 3. CVE-2024-42327: Zabbix Privilege Escalation -&gt; RCE https://t.co/jQT6L9XMLy

    @ksg93rd

    17 Feb 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. LibreOffice CVE-2024-12425: Path traversal leading to arbitrary .ttf file write https://t.co/ndGQTtCZH4 CVE-2024-12426: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables https://t.co/VjegSgQnIw

    @autumn_good_35

    9 Jan 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2024-12426 Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be con… https://t.co/aQ2Gemou3e

    @CVEnew

    7 Jan 2025

    359 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.CVE-2026-25506
  2. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector ::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3 .3.1, and 2.6.11 patch the issue.CVE-2025-64098
  3. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.CVE-2025-62799
  4. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.CVE-2025-62602
  5. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.CVE-2025-62603

References

Sources include official advisories and independent security research.