CVE-2023-7101

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
Configurations

Configuration 1 (hide)

cpe:2.3:a:jmcnamara:spreadsheet\:\:parseexcel:*:*:*:*:*:perl:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

History

09 Jan 2024, 20:07

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2023/12/29/4 - () http://www.openwall.com/lists/oss-security/2023/12/29/4 - Mailing List, Third Party Advisory
References () https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171 - () https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171 - Product
References () https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md - () https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md - Third Party Advisory
References () https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc - () https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc - Third Party Advisory
References () https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc - () https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc - Patch
References () https://https://metacpan.org/dist/Spreadsheet-ParseExcel - () https://https://metacpan.org/dist/Spreadsheet-ParseExcel - Product
References () https://https://www.cve.org/CVERecord?id=CVE-2023-7101 - () https://https://www.cve.org/CVERecord?id=CVE-2023-7101 - Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html - () https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/ - Mailing List
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/ - Mailing List
CWE CWE-94
First Time Debian
Fedoraproject
Jmcnamara
Jmcnamara spreadsheet\
Debian debian Linux
Fedoraproject fedora
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
CPE cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:a:jmcnamara:spreadsheet\:\:parseexcel:*:*:*:*:*:perl:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

08 Jan 2024, 03:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/ -

03 Jan 2024, 17:15

Type Values Removed Values Added
References
  • () https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc -

31 Dec 2023, 03:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html -

29 Dec 2023, 18:15

Type Values Removed Values Added
Summary
  • (es) Spreadsheet::ParseExcel version 0.65 es un módulo Perl utilizado para analizar archivos Excel. Spreadsheet::ParseExcel es afectado por una vulnerabilidad de ejecución de código arbitrario (ACE) debido a que se pasa una entrada no validada de un archivo a una "evaluación" de tipo cadena. Específicamente, el problema surge de la evaluación de cadenas de formato numérico (que no deben confundirse con cadenas de formato de estilo printf) dentro de la lógica de análisis de Excel.
References
  • () http://www.openwall.com/lists/oss-security/2023/12/29/4 -

24 Dec 2023, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-24 22:15

Updated : 2024-01-09 20:07


NVD link : CVE-2023-7101

Mitre link : CVE-2023-7101

CVE.ORG link : CVE-2023-7101


JSON object : View

Products Affected

debian

  • debian_linux

fedoraproject

  • fedora

jmcnamara

  • spreadsheet\
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')