CVE-2023-7101

Warnung

EPSS 89.98%
Veröffentlicht 24.12.2023 22:15:07
Zuletzt bearbeitet 10.03.2025 20:23:08
Quelle mandiant-cve@google.com
Teams Watchlist Login
Unerledigt Login

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 2 Referenzen 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jmcnamara ≫ Spreadsheet::parseexcel SwPlatformperl Version <= 0.65

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

02.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Spreadsheet::ParseExcel Remote Code Execution Vulnerability

Schwachstelle

Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	89.98%	0.996

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

http://www.openwall.com/lists/oss-security/2023/12/29/4

Patch

Third Party Advisory

Mailing List

https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171

Product

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md

Third Party Advisory

https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc

Third Party Advisory

Broken Link

https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc