Main Vulnerability Database SB2018030614

SB2018030614 - Red Hat update for libreoffice

Published: March 6, 2018

Security Bulletin ID SB2018030614

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-1055)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in LibreOffice Calc, which supports COM.MICROSOFT.WEBSERVICE function to obtain data by URL. The application allows WEBSERVICE to take a local file URL (e.g file://) which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and construct a remote URL. A remote attacker can create a specially crafted document, trick the victim into opening it and use WEBSERVICE functionality to send arbitrary local files to the attacker's controlled server.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2018:0418