CVE-2024-45293
Vulnerability from cvelistv5
Published
2024-10-07 20:03
Modified
2024-10-07 20:25
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: >= 2.2.0, < 2.3.0 Version: < 1.29.1 Version: >= 2.0.0, < 2.1.1 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "2.3.0", "status": "affected", "version": "2.2.0", "versionType": "custom" }, { "lessThan": "1.29.1", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.1", "status": "affected", "version": "2.0.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45293", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-07T20:23:44.790245Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:25:10.635Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.0" }, { "status": "affected", "version": "\u003c 1.29.1" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.1" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file\u0027s XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding=\"*\"` and/or `encoding=\u0027*\u0027`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet\u0027s Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:03:27.080Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88" } ], "source": { "advisory": "GHSA-6hwr-6v2f-3m88", "discovery": "UNKNOWN" }, "title": "XML External Entity Reference (XXE) in PHPSpreadsheet\u0027s XLSX reader" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45293", "datePublished": "2024-10-07T20:03:27.080Z", "dateReserved": "2024-08-26T18:25:35.442Z", "dateUpdated": "2024-10-07T20:25:10.635Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-45293\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-07T20:15:06.100\",\"lastModified\":\"2024-10-10T12:57:21.987\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file\u0027s XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding=\\\"*\\\"` and/or `encoding=\u0027*\u0027`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet\u0027s Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"PHPSpreadsheet es una librer\u00eda PHP pura para leer y escribir archivos de hojas de c\u00e1lculo. El esc\u00e1ner de seguridad responsable de prevenir ataques XXE en el lector XLSX se puede eludir modificando ligeramente la estructura XML, utilizando espacios en blanco. En servidores que permiten a los usuarios cargar sus propias hojas de Excel (XLSX), los archivos del servidor y la informaci\u00f3n confidencial se pueden divulgar proporcionando una hoja manipulada. La funci\u00f3n de escaneo de seguridad en src/PhpSpreadsheet/Reader/Security/XmlScanner.php contiene una comprobaci\u00f3n de codificaci\u00f3n XML defectuosa para recuperar la codificaci\u00f3n XML del archivo de entrada en la funci\u00f3n toUtf8. La funci\u00f3n busca la codificaci\u00f3n XML a trav\u00e9s de una expresi\u00f3n regular definida que busca `encoding=\\\"*\\\"` y/o `encoding=\u0027*\u0027`, si no se encuentra, se utiliza de forma predeterminada la codificaci\u00f3n UTF-8 que elude la l\u00f3gica de conversi\u00f3n. Esta l\u00f3gica se puede utilizar para pasar un payload XXE codificada en UTF-7, utilizando un espacio en blanco antes o despu\u00e9s del = en la definici\u00f3n del atributo. Divulgaci\u00f3n de informaci\u00f3n confidencial a trav\u00e9s de XXE en sitios que permiten a los usuarios cargar sus propias hojas de c\u00e1lculo de Excel y analizarlas mediante el analizador de Excel de PHPSpreadsheet. Este problema se ha solucionado en las versiones de lanzamiento 1.29.1, 2.1.1 y 2.3.0. Se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"references\":[{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88\",\"source\":\"security-advisories@github.com\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.