VDB
CVE-2024-22368
CVE-2024-22368
PUBLISHED
CVSS 5.5 MEDIUM
The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.
EPSS 0.06% · 19.7th percentile
Risk Scores
CVSS 3.1
5.5
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score
0.06%
19.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| tozt | spreadsheet\ | \, * |
| n/a | n/a | n/a, n/a |
Exploit Intelligence
- CIRCL seen: CVE-2024-22368 (circl-sighting)
- CIRCL seen: CVE-2024-22368 (circl-sighting)
- http://www.openwall.com/lists/oss-security/2024/01/10/2 (nist-nvd)
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md (nist-nvd)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/ (circl)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/ (circl)
- https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes (circl)
- [debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update (circl)
- FEDORA-2024-5f136f5d10 (circl)
- FEDORA-2024-fa14bfd3b5 (circl)
…and 1 more exploits
Timeline
- Jan 9, 2024 CVE Published
- Jan 9, 2024 PoC Published
- Jan 18, 2024 EPSS Score
- Jan 26, 2024 PoC Published
- Feb 15, 2024 EPSS Score
- Mar 14, 2024 EPSS Score
- Apr 11, 2024 EPSS Score
- May 9, 2024 EPSS Score
- Jun 6, 2024 EPSS Score
- Jul 4, 2024 EPSS Score
- Aug 1, 2024 EPSS Score
- Aug 29, 2024 EPSS Score
References
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md url
- https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes url
- [oss-security] 20240110 CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs mailing-list
- [debian-lts-announce] 20240127 [SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update mailing-list
- FEDORA-2024-5f136f5d10 vendor-advisory
- FEDORA-2024-fa14bfd3b5 vendor-advisory
- https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/ url
- https://nvd.nist.gov/vuln/detail/CVE-2024-22368 advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ url