{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-22368", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-04T22:05:37.486Z", "dateReserved": "2024-01-09T00:00:00.000Z", "datePublished": "2024-01-09T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-05T14:53:28.195Z"}, "descriptions": [{"lang": "en", "value": "The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md"}, {"url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes"}, {"name": "[oss-security] 20240110 CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/01/10/2"}, {"name": "[debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html"}, {"name": "FEDORA-2024-5f136f5d10", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"name": "FEDORA-2024-fa14bfd3b5", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md", "tags": ["x_transferred"]}, {"url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240110 CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/01/10/2"}, {"name": "[debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html"}, {"name": "FEDORA-2024-5f136f5d10", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"name": "FEDORA-2024-fa14bfd3b5", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T22:05:37.486Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T23:38:16.109193Z", "id": "CVE-2024-22368", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T14:34:05.488Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md", "tags": ["x_transferred"]}, {"url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/10/2", "name": "[oss-security] 20240110 CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html", "name": "[debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/", "name": "FEDORA-2024-5f136f5d10", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/", "name": "FEDORA-2024-fa14bfd3b5", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T22:05:37.486Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-22368", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-09T23:38:16.109193Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T23:38:17.675Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md"}, {"url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/10/2", "name": "[oss-security] 20240110 CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs", "tags": ["mailing-list"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html", "name": "[debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update", "tags": ["mailing-list"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/", "name": "FEDORA-2024-5f136f5d10", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/", "name": "FEDORA-2024-fa14bfd3b5", "tags": ["vendor-advisory"]}, {"url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"}], "descriptions": [{"lang": "en", "value": "The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-05T14:53:28.195Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22368", "state": "PUBLISHED", "dateUpdated": "2025-11-04T22:05:37.486Z", "dateReserved": "2024-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-01-09T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tozt:spreadsheet\\:\\:parsexlsx:*:*:*:*:*:perl:*:*", "matchCriteriaId": "6B156CF4-537A-4244-A107-0C4C05BAFDCC", "versionEndExcluding": "0.28", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells."}, {"lang": "es", "value": "El paquete Spreadsheet::ParseXLSX anterior a 0.28 para Perl puede encontrar una condici\u00f3n de falta de memoria durante el an\u00e1lisis de un documento XLSX manipulado. Esto ocurre porque la implementaci\u00f3n de memoize no tiene restricciones apropiadas en las celdas fusionadas."}], "id": "CVE-2024-22368", "lastModified": "2025-11-04T22:15:57.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-09T09:15:42.910", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/10/2"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes"}, {"source": "cve@mitre.org", "url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/10/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}