7.8

CVE-2023-7101

Warnung

Arbitrary Code Execution (ACE) Vulnerability

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DebianDebian Linux Version10.0
FedoraprojectFedora Version38
FedoraprojectFedora Version39

02.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Spreadsheet::ParseExcel Remote Code Execution Vulnerability

Schwachstelle

Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 16.83% 0.967
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

http://www.openwall.com/lists/oss-security/2023/12/29/4
Patch
Third Party Advisory
Mailing List
https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171
Product
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md
Third Party Advisory
https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc
Third Party Advisory
Broken Link
https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc
Patch
Broken Link
https://https://metacpan.org/dist/Spreadsheet-ParseExcel
Broken Link
Product
https://https://www.cve.org/CVERecord?id=CVE-2023-7101
Third Party Advisory
Broken Link
https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/
Broken Link
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/
Broken Link
Mailing List
https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7101
US Government Resource