CVE Details for CVE: CVE-2024-23525
Summary
The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig.
Timestamps | |
---|---|
Last major update | 27-01-2024 - 22:15 |
Published | 18-01-2024 - 00:15 |
Last modified | 27-01-2024 - 22:15 |
References
- https://metacpan.org/release/NUDDLEGG/Spreadsheet-ParseXLSX-0.30/changes
- https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a
- https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
- http://www.openwall.com/lists/oss-security/2024/01/18/4
- https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html
Vulnerable Configurations
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.01:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.01:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.02:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.02:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.03:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.03:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.04:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.04:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.05:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.05:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.06:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.06:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.07:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.07:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.08:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.08:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.09:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.09:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.10:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.10:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.11:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.11:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.12:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.12:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.13:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.13:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.14:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.14:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.15:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.15:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.16:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.16:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.17:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.17:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.18:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.18:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.19:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.19:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.20:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.20:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.21:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.21:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.22:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.22:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.23:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.23:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.24:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.24:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.25:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.25:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.26:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.26:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.27:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.27:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.28:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.28:*:*:*:*:perl:*:*
-
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.29:*:*:*:*:perl:*:*
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.29:*:*:*:*:perl:*:*
CAPEC
Click the CAPEC title to display a description
-
Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
CWE
CVSS
Base
None
Impact
Exploitability
Access
Vector | Complexity | Authentication |
---|---|---|
Impact
Confidentiality | Integrity | Availability |
---|---|---|
CVSS3
Base
6.5
Impact
3.6
Exploitability
2.8
Access
Attack Complexity | Attack vector | Privileges Required | Scope | User Interaction |
---|---|---|---|---|
LOW | NETWORK | NONE | UNCHANGED | REQUIRED |
Impact
Confidentiality | Integrity | Availability |
---|---|---|
HIGH | NONE | NONE |
VIA4 references
cvss3-vector
via4