Detections
Analytics

Alpine: multiple libreoffice packages: security update to 6.3.1.2-r0

critical Tenable Self-Hosted Container Security Plugin ID 405257

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various
 script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under
 the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was
 added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary
 locations on the file system could be executed by employing a URL encoding attack to defeat the path
 verification step. However this protection could be bypassed by taking advantage of a flaw in how
 LibreOffice assembled the final script URL location directly from components of the passed in path as
 opposed to solely from the sanitized output of the path verification step. This issue affects: Document
 Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

 - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can
 execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a
 feature where documents can specify that pre-installed scripts can be executed on various document script
 events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers.
 However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a
 document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document
 Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9855)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-9854

https://security.alpinelinux.org/vuln/CVE-2019-9855

Plugin Details

Severity: Critical

ID: 405257

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9855

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/6/2019

Reference Information

CVE: CVE-2019-9854, CVE-2019-9855

IAVB: 2019-B-0078