Arbitrary Code Execution (ACE) Vulnerability
CVE-2023-7101

7.8HIGH

Key Information:

Vendor
Douglas Wilson
Status
Spreadsheet::parseexcel
Vendor
CVE Published:
24 December 2023

Badges

👾 Exploit Exists🟣 EPSS 89%🦅 CISA Reported📰 News Worthy

Summary

The Spreadsheet::ParseExcel Perl module, specifically version 0.65, suffers from a significant vulnerability that enables arbitrary code execution. This vulnerability arises from the module’s handling of unvalidated input through a method that leverages string-type evaluation. As a result, maliciously crafted Excel files can exploit the evaluation of Number format strings, leading to potential execution of arbitrary code within the user's environment. It is crucial for users of this module to review their security posture and consider immediate patches or updates to mitigate the risks associated with this vulnerability.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Spreadsheet::ParseExcel 0.65

News Articles

favicon imageSC Media

CISA adds Excel, Chrome flaws to its exploited vulnerabilities catalog

Excel flaw tied to Chinese threat group UNC4841, while Chrome vulnerability is the eighth zero-day for the popular web browser of 2023.

favicon imageeSecurity Planet

Weekly VulnRecap - January 8, 2024

Discover what vulnerabilities were exploited in the first week of 2024 — including new and existing ones from Ivanti, Apache, and more.

favicon imageThe Cyber Express

CISA Adds Two Critical Vulnerabilities to Watchlist: CVE-2023-7024 and CVE-2023-7101

CISA has added two new vulnerabilities, CVE-2023-7024 and CVE-2023-7121 to its Known Exploited Vulnerabilities Catalog, in January 2024.

References

https://github.com/mandiant/Vulnerability-Disclosures/blo...
https://https://www.cve.org/CVERecord?id=CVE-2023-7101
https://https://metacpan.org/dist/Spreadsheet-ParseExcel

EPSS Score

89% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

Credit

Le Dinh Hai (https://github.com/haile01/perl_spreadsheet_excel_rce_poc/tree/main)
Barracuda Networks Inc. https://www.barracuda.com/
.