CVE-2023-7101

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md", "name": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://https://www.cve.org/CVERecord?id=CVE-2023-7101", "name": "https://https://www.cve.org/CVERecord?id=CVE-2023-7101", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://https://metacpan.org/dist/Spreadsheet-ParseExcel", "name": "https://https://metacpan.org/dist/Spreadsheet-ParseExcel", "tags": ["Product"], "refsource": ""}, {"url": "https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc", "name": "https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc", "tags": ["Third Party Advisory"], "refsource": ""}, {"url": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171", "name": "https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171", "tags": ["Product"], "refsource": ""}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/29/4", "name": "http://www.openwall.com/lists/oss-security/2023/12/29/4", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html", "name": "https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc", "name": "https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc", "tags": ["Patch"], "refsource": ""}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/", "tags": ["Mailing List"], "refsource": ""}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/", "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/", "tags": ["Mailing List"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type \u201ceval\u201d. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic. \n"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-94"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-7101", "ASSIGNER": "mandiant-cve@google.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}}, "publishedDate": "2023-12-24T22:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:jmcnamara:spreadsheet\\:\\:parseexcel:*:*:*:*:*:perl:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "0.65"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2024-01-09T20:07Z"}