CVE CVE

CVE-2023-7101

CISA Known Exploited Vulnerability (KEV)

Spreadsheet::ParseExcel Remote Code Execution Vulnerability

January 2, 2024

January 23, 2024

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Weakness Enumeration

CWE-ID CWE Name

CWE-94
Improper Control of Generation of Code (‘Code Injection’)

CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Known Affected Software Configurations


cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.41:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.42:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.43:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.44:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.45:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.46:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.47:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.48:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.49:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.50:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.51:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.52:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.53:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.54:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.55:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.56:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.57:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.58:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.59:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.60:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.61:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.62:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.63:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.64:*:*:*:*:perl:*:*

cpe:2.3:a:jmcnamara:spreadsheet::parseexcel:0.65:*:*:*:*:perl:*:*

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Details

Source:
NVD
Published:
Updated:

Risk information

CVSS v3

Base score:
7.8
Severity:

HIGH

Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

Not defined