CVE-2024-22368 - OpenCVE

The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tozt	Spreadsheet\

Configuration 1 [-]

cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:*:*:*:*:*:perl:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/01/10/2
https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/
https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes
https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-01-09T00:00:00

Updated: 2024-08-01T22:43:34.716Z

Reserved: 2024-01-09T00:00:00

Link: CVE-2024-22368

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-09T09:15:42.910

Modified: 2024-05-05T15:15:48.953

Link: CVE-2024-22368

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-22368", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-01T22:43:34.716Z", "dateReserved": "2024-01-09T00:00:00", "datePublished": "2024-01-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-05T14:53:28.195073"}, "descriptions": [{"lang": "en", "value": "The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md"}, {"url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes"}, {"name": "[oss-security] 20240110 CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/01/10/2"}, {"name": "[debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html"}, {"name": "FEDORA-2024-5f136f5d10", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"name": "FEDORA-2024-fa14bfd3b5", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.716Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md", "tags": ["x_transferred"]}, {"url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240110 CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/01/10/2"}, {"name": "[debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html"}, {"name": "FEDORA-2024-5f136f5d10", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"name": "FEDORA-2024-fa14bfd3b5", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tozt:spreadsheet\\:\\:parsexlsx:*:*:*:*:*:perl:*:*", "matchCriteriaId": "6B156CF4-537A-4244-A107-0C4C05BAFDCC", "versionEndExcluding": "0.28", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells."}, {"lang": "es", "value": "El paquete Spreadsheet::ParseXLSX anterior a 0.28 para Perl puede encontrar una condici\u00f3n de falta de memoria durante el an\u00e1lisis de un documento XLSX manipulado. Esto ocurre porque la implementaci\u00f3n de memoize no tiene restricciones apropiadas en las celdas fusionadas."}], "id": "CVE-2024-22368", "lastModified": "2024-05-05T15:15:48.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-09T09:15:42.910", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/10/2"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes"}, {"source": "cve@mitre.org", "url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}