FKIE_CVE-2023-7101

Vulnerability from fkie_nvd - Published: 2023-12-24 22:15 - Updated: 2025-10-24 16:39
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
References
mandiant-cve@google.comhttp://www.openwall.com/lists/oss-security/2023/12/29/4Mailing List, Patch, Third Party Advisory
mandiant-cve@google.comhttps://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171Product
mandiant-cve@google.comhttps://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.mdThird Party Advisory
mandiant-cve@google.comhttps://https://github.com/haile01/perl_spreadsheet_excel_rce_pocBroken Link, Third Party Advisory
mandiant-cve@google.comhttps://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bcBroken Link, Patch
mandiant-cve@google.comhttps://https://metacpan.org/dist/Spreadsheet-ParseExcelBroken Link, Product
mandiant-cve@google.comhttps://https://www.cve.org/CVERecord?id=CVE-2023-7101Broken Link, Third Party Advisory
mandiant-cve@google.comhttps://lists.debian.org/debian-lts-announce/2023/12/msg00025.htmlMailing List
mandiant-cve@google.comhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/Broken Link, Mailing List
mandiant-cve@google.comhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/Broken Link, Mailing List
mandiant-cve@google.comhttps://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/12/29/4Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171Product
af854a3a-2127-422b-91ae-364da2661108https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.mdThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://https://github.com/haile01/perl_spreadsheet_excel_rce_pocBroken Link, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bcBroken Link, Patch
af854a3a-2127-422b-91ae-364da2661108https://https://metacpan.org/dist/Spreadsheet-ParseExcelBroken Link, Product
af854a3a-2127-422b-91ae-364da2661108https://https://www.cve.org/CVERecord?id=CVE-2023-7101Broken Link, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/12/msg00025.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/Broken Link, Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/Broken Link, Mailing List
af854a3a-2127-422b-91ae-364da2661108https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.htmlThird Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7101US Government Resource
Impacted products
Vendor Product Version
jmcnamara spreadsheet\ \
debian debian_linux 10.0
fedoraproject fedora 38
fedoraproject fedora 39
To clipboard 

{
  "cisaActionDue": "2024-01-23",
  "cisaExploitAdd": "2024-01-02",
  "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Spreadsheet::ParseExcel Remote Code Execution Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jmcnamara:spreadsheet\\:\\:parseexcel:*:*:*:*:*:perl:*:*",
              "matchCriteriaId": "1C81AC37-3219-4A80-A89E-8BDC1E238F82",
              "versionEndIncluding": "0.65",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type \u201ceval\u201d. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic."
    },
    {
      "lang": "es",
      "value": "Spreadsheet::ParseExcel version 0.65 es un m\u00f3dulo Perl utilizado para analizar archivos Excel. Spreadsheet::ParseExcel es afectado por una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario (ACE) debido a que se pasa una entrada no validada de un archivo a una \"evaluaci\u00f3n\" de tipo cadena. Espec\u00edficamente, el problema surge de la evaluaci\u00f3n de cadenas de formato num\u00e9rico (que no deben confundirse con cadenas de formato de estilo printf) dentro de la l\u00f3gica de an\u00e1lisis de Excel."
    }
  ],
  "id": "CVE-2023-7101",
  "lastModified": "2025-10-24T16:39:52.043",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-12-24T22:15:07.983",
  "references": [
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/12/29/4"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Broken Link",
        "Patch"
      ],
      "url": "https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Broken Link",
        "Product"
      ],
      "url": "https://https://metacpan.org/dist/Spreadsheet-ParseExcel"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://https://www.cve.org/CVERecord?id=CVE-2023-7101"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Broken Link",
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Broken Link",
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/"
    },
    {
      "source": "mandiant-cve@google.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/12/29/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Patch"
      ],
      "url": "https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Product"
      ],
      "url": "https://https://metacpan.org/dist/Spreadsheet-ParseExcel"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "https://https://www.cve.org/CVERecord?id=CVE-2023-7101"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7101"
    }
  ],
  "sourceIdentifier": "mandiant-cve@google.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-95"
        }
      ],
      "source": "mandiant-cve@google.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.