{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/libreoffice/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gotenberg (\u003c= 8.31.0)","LibreOffice"],"_cs_severities":["high"],"_cs_tags":["ssrf","gotenberg","libreoffice","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Gotenberg","LibreOffice"],"content_html":"\u003cp\u003eGotenberg, a Docker-based stateless API for PDF files, is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability in its LibreOffice conversion endpoint. Specifically, the SSRF hardening implemented in version 8.31.0 does not adequately cover LibreOffice\u0026rsquo;s handling of external URLs embedded in uploaded documents. An attacker can craft a malicious document, such as a DOCX file containing external image references, that, when processed by the \u003ccode\u003e/forms/libreoffice/convert\u003c/code\u003e endpoint, causes LibreOffice to make outbound HTTP requests to attacker-controlled servers or internal resources. This bypasses the intended SSRF protections, potentially exposing internal services and sensitive data. This vulnerability was verified on version 8.31.0 using a crafted DOCX file and matters to defenders because it allows attackers to bypass network segmentation and access internal resources normally inaccessible from the internet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious document (e.g., DOCX, XLSX, PPTX, ODT, ODS, ODP, RTF) embedding an external URL reference.\u003c/li\u003e\n\u003cli\u003eThe malicious document contains a relationship file (e.g., \u003ccode\u003eword/_rels/document.xml.rels\u003c/code\u003e) with a \u003ccode\u003eTargetMode=\u0026quot;External\u0026quot;\u003c/code\u003e attribute pointing to an attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted document to the \u003ccode\u003e/forms/libreoffice/convert\u003c/code\u003e endpoint of a vulnerable Gotenberg instance.\u003c/li\u003e\n\u003cli\u003eGotenberg\u0026rsquo;s \u003ccode\u003epkg/modules/libreoffice/routes.go\u003c/code\u003e passes the uploaded document directly to the LibreOffice process via \u003ccode\u003elibreOffice.Pdf()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLibreOffice parses the document and, due to the external URL reference, initiates an HTTP request to the specified URL.\u003c/li\u003e\n\u003cli\u003eThe request bypasses Gotenberg\u0026rsquo;s Go-level SSRF protection mechanisms, as LibreOffice handles the HTTP connection directly using libcurl.\u003c/li\u003e\n\u003cli\u003eLibreOffice makes an HTTP GET request (and potentially an OPTIONS request) to the attacker-controlled server, potentially leaking information through the User-Agent header.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to internal resources, exfiltrates response data, or performs other malicious actions based on the SSRF vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows attackers to make outbound HTTP requests from the LibreOffice process, potentially reaching internal services and sensitive data. An attacker can target internal services within the container\u0026rsquo;s network, such as localhost or internal IP ranges (10.x, 192.168.x), access cloud metadata at \u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e to obtain AWS/GCP/Azure IAM credentials, or perform port scanning of the internal network. The vulnerability affects various document formats, including \u003ccode\u003e.docx\u003c/code\u003e, \u003ccode\u003e.docm\u003c/code\u003e, \u003ccode\u003e.xlsx\u003c/code\u003e, \u003ccode\u003e.xlsm\u003c/code\u003e, \u003ccode\u003e.pptx\u003c/code\u003e, \u003ccode\u003e.pptm\u003c/code\u003e, \u003ccode\u003e.odt\u003c/code\u003e, \u003ccode\u003e.ods\u003c/code\u003e, \u003ccode\u003e.odp\u003c/code\u003e, \u003ccode\u003e.rtf\u003c/code\u003e. The v8.31.0 SSRF hardening is ineffective, as it only covers Go HTTP calls, not LibreOffice\u0026rsquo;s connections.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement network segmentation by running LibreOffice with \u003ccode\u003eunshare --net\u003c/code\u003e to isolate the subprocess and prevent network access. This mitigates the risk of outbound requests, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDevelop and deploy a Sigma rule to detect suspicious process execution involving LibreOffice initiating network connections. Use process_creation logs and filter on Image containing \u0026ldquo;libreoffice\u0026rdquo; and Initiated: \u0026ldquo;true\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAs defense in depth, scan uploaded OOXML files for \u003ccode\u003e_rels/*.rels\u003c/code\u003e entries with \u003ccode\u003eTargetMode=\u0026quot;External\u0026quot;\u003c/code\u003e and validate/strip those URLs before passing the file to LibreOffice.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:57:03Z","date_published":"2026-05-07T00:57:03Z","id":"/briefs/2024-01-02-gotenberg-ssrf/","summary":"Gotenberg is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient hardening in the LibreOffice conversion endpoint, allowing attackers to make outbound HTTP requests by embedding external URLs in uploaded documents, bypassing Gotenberg's SSRF filters, affecting versions up to 8.31.0, and potentially enabling access to internal services, data exfiltration, or port scanning.","title":"Gotenberg SSRF Vulnerability in LibreOffice Conversion Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-02-gotenberg-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — LibreOffice","version":"https://jsonfeed.org/version/1.1"}