CVE-2024-5261

Name of the Vulnerable Software and Affected Versions LibreOffice versions prior to 24.2.4

Description The issue is related to improper certificate validation in LibreOffice's "LibreOfficeKit" mode, which disables TLS certification verification. This occurs when LibreOffice internally uses "curl" to fetch remote resources, such as images hosted on web servers, and CURLOPT SSL VERIFYPEER is set to false. In the fixed versions, curl operates in LibreOfficeKit mode with CURLOPT SSL VERIFYPEER set to true, enabling proper TLS certification verification.

Recommendations For versions prior to 24.2.4, update to version 24.2.4 or later to resolve the issue. As a temporary workaround, consider disabling the use of LibreOfficeKit mode until a patch is available. Restrict access to remote resources that may be affected by the improper certificate validation to minimize the risk of exploitation. Avoid using curl with CURLOPT SSL VERIFYPEER set to false in LibreOfficeKit mode until the issue is resolved.