CVE-2024-12426: 
LibreOffice vulnerability analysis and mitigation

A vulnerability (CVE-2024-12426) was discovered in LibreOffice that allows exposure of environmental variables and arbitrary INI file values to unauthorized actors. The vulnerability affects LibreOffice versions from 24.8 before 24.8.4, and was disclosed on January 7, 2025. The issue involves URLs that could be constructed to expand environmental variables or INI file values, potentially allowing sensitive information to be exfiltrated to a remote server when opening a document containing such links (LibreOffice Advisory, NVD).

The vulnerability exploits LibreOffice's support for a URL scheme called 'vnd.sun.star.expand' which has variable-substitution functionality. This scheme allows for expansion of variables from INI files and environment variables. The vulnerability is particularly concerning as LibreOffice's INI parser can read TOML and .env configuration files, which often contain sensitive information such as API keys, database credentials, and secret tokens. The vulnerability has been assigned a CVSS 4.0 Base Score of 6.7 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N (SecurityOnline).

The vulnerability can lead to the exposure of sensitive system information, including environment variables, credentials, and configuration files. The attack can potentially extract data from email clients, chat applications, and other sensitive sources. Even environment variables that were manually passed to different processes can be extracted if they exist in the user's shell history file (SecurityOnline).

Users are strongly recommended to upgrade to LibreOffice version 24.8.4 or later to mitigate this vulnerability. In the fixed version, the expansion feature is not available in document-hosted URLs. The fix was provided by Caolán McNamara of Collabora Productivity (LibreOffice Advisory).