CVE-2023-7101

Published: Dec 24, 2023Modified: Jun 17, 2026CISA KEV

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Affected (4)

Products: Jmcnamara: Spreadsheet\ · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jmcnamara Spreadsheet\	Up to 0.65

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 38
Fedoraproject Fedora	Version 39

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

References (23)

http://www.openwall.com/lists/oss-security/2023/12/29/4

Source: mandiant-cve@google.com

Mailing ListPatchThird Party Advisory

https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171

Source: mandiant-cve@google.com

Product

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md

Source: mandiant-cve@google.com

Third Party Advisory

https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc

Source: mandiant-cve@google.com

Broken LinkThird Party Advisory

https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc

Source: mandiant-cve@google.com

Broken LinkPatch

https://https://metacpan.org/dist/Spreadsheet-ParseExcel

Source: mandiant-cve@google.com

Broken LinkProduct

https://https://www.cve.org/CVERecord?id=CVE-2023-7101

Source: mandiant-cve@google.com

Broken LinkThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html

Source: mandiant-cve@google.com

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/

Source: mandiant-cve@google.com

Broken LinkMailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/

Source: mandiant-cve@google.com

Broken LinkMailing List

https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html

Source: mandiant-cve@google.com

Third Party Advisory

http://www.openwall.com/lists/oss-security/2023/12/29/4

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkThird Party Advisory

https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkPatch

https://https://metacpan.org/dist/Spreadsheet-ParseExcel

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkProduct

https://https://www.cve.org/CVERecord?id=CVE-2023-7101

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkMailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkMailing List

https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7101

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.