Login Sign Up

CVE-2019-9852

7.8 HIGH

📋 TL;DR

CVE-2019-9852 is a directory traversal vulnerability in LibreOffice that allows attackers to bypass URL encoding protections and execute arbitrary Python scripts from unauthorized locations. This affects LibreOffice versions prior to 6.2.6 and could lead to remote code execution when users open malicious documents.

💻 Affected Systems

Products:
  • LibreOffice
Versions: All versions prior to 6.2.6
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the macro execution feature; affects all default installations with macro support enabled.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Leap by Opensuse

View all CVEs affecting Leap →

Leap by Opensuse

View all CVEs affecting Leap →

Libreoffice by Libreoffice

View all CVEs affecting Libreoffice →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the LibreOffice user, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Execution of malicious scripts leading to data exfiltration, credential theft, or installation of backdoors when users open specially crafted documents.

🟢

If Mitigated

Limited impact if macros are disabled by policy or if documents are opened in sandboxed environments with restricted permissions.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious document) but could be delivered via email or web downloads.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared documents, but requires user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening malicious document) but the vulnerability is straightforward to exploit once a malicious document is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.6 and later

Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9852/

Restart Required: No

Instructions:

1. Update LibreOffice to version 6.2.6 or later using your distribution's package manager or official installer. 2. For Linux: sudo apt update && sudo apt upgrade libreoffice (Debian/Ubuntu) or sudo yum update libreoffice (RHEL/CentOS). 3. For Windows/macOS: Download and install latest version from libreoffice.org.

🔧 Temporary Workarounds

Disable macro execution

all

Prevent LibreOffice from executing any macros, which blocks exploitation of this vulnerability.

Tools → Options → Security → Macro Security → Set to 'Very High' (disable all macros)

Restrict document sources

all

Only open documents from trusted sources and avoid opening unexpected Office documents.

🧯 If You Can't Patch

  • Implement application whitelisting to prevent unauthorized LibreOffice execution
  • Use sandboxing solutions to run LibreOffice in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check LibreOffice version: Help → About LibreOffice. If version is below 6.2.6, system is vulnerable.

Check Version:

libreoffice --version (Linux/macOS) or check Help → About (Windows)

Verify Fix Applied:

Verify version is 6.2.6 or higher in Help → About LibreOffice. Test with known safe macro-enabled documents to ensure functionality remains.

📡 Detection & Monitoring

Log Indicators:

  • Unusual macro execution events in LibreOffice logs
  • Execution of Python scripts from unexpected locations

Network Indicators:

  • Outbound connections from LibreOffice process to unexpected destinations after document opening

SIEM Query:

process_name:"soffice.bin" AND (event_type:"process_execution" OR cmdline:"python")

📊 Metadata

CVE ID: CVE-2019-9852
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-116
Published: August 15, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9852, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)