RCE in Douglas Wilson Spreadsheet::parseexcel
CVE-2023-7101
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “e…
EPSS: 0.557 (98.1th percentile) — read the EPSS interpretation.
Affected products
- Douglas Wilson Spreadsheet::parseexcel — versions 0.65
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Public proof-of-concept exploits
References
- github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md
- https://www.cve.org/CVERecord
- https://metacpan.org/dist/Spreadsheet-ParseExcel
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc
- github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002fee…
- www.openwall.com/lists/oss-security/2023/12/29/4
- lists.debian.org/debian-lts-announce/2023/12/msg00025.html
- https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c5…
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
Frequently asked questions
- What is CVE-2023-7101?
- CVE-2023-7101 is a vulnerability in Douglas Wilson Spreadsheet::parseexcel, classified under Eval Injection. Published 2023-12-24.
- Is CVE-2023-7101 known to be exploited?
- Yes. CVE-2023-7101 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-01-02), indicating it is being actively exploited. 4 public proof-of-concept repositories are indexed.