CVE-2024-22368

The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/01/10/2	Exploit Mailing List Third Party Advisory
https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md	Exploit Mitigation Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/
https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes	Release Notes
https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:*:*:*:*:*:perl:*:*

History

No history.

Information

Published : 2024-01-09 09:15

Updated : 2024-05-05 15:15

NVD link : CVE-2024-22368

Mitre link : CVE-2024-22368

CVE.ORG link : CVE-2024-22368

JSON object : View

Products Affected

tozt

spreadsheet\

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-22368", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-01-09T09:15:42.910", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/01/10/2", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/", "source": "cve@mitre.org"}, {"url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells."}, {"lang": "es", "value": "El paquete Spreadsheet::ParseXLSX anterior a 0.28 para Perl puede encontrar una condici\u00f3n de falta de memoria durante el an\u00e1lisis de un documento XLSX manipulado. Esto ocurre porque la implementaci\u00f3n de memoize no tiene restricciones apropiadas en las celdas fusionadas."}], "lastModified": "2024-05-05T15:15:48.953", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tozt:spreadsheet\\:\\:parsexlsx:*:*:*:*:*:perl:*:*", "vulnerable": true, "matchCriteriaId": "6B156CF4-537A-4244-A107-0C4C05BAFDCC", "versionEndExcluding": "0.28"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}