{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-7101","assignerOrgId":"027e81ed-0dd4-4685-ab4d-884aec5bb484","state":"PUBLISHED","assignerShortName":"Mandiant","dateReserved":"2023-12-24T16:23:02.000Z","datePublished":"2023-12-24T21:34:46.527Z","dateUpdated":"2025-10-21T23:05:29.481Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://metacpan.org/pod/Spreadsheet::ParseExcel","defaultStatus":"affected","packageName":"Spreadsheet::ParseExcel","product":"Spreadsheet::ParseExcel","repo":"https://metacpan.org/release/DOUGW/Spreadsheet-ParseExcel-0.65/source/lib/Spreadsheet","vendor":"Douglas Wilson","versions":[{"status":"affected","version":"0.65"}]}],"credits":[{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Le Dinh Hai (https://github.com/haile01/perl_spreadsheet_excel_rce_poc/tree/main)"},{"lang":"en","type":"reporter","user":"00000000-0000-4000-9000-000000000000","value":"Barracuda Networks Inc.  https://www.barracuda.com/"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: transparent;\">Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary</span> <span style=\"background-color: transparent;\">code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic. </span><br>"}],"value":"Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic."}],"impacts":[{"capecId":"CAPEC-137","descriptions":[{"lang":"en","value":"CAPEC-137: Parameter Injection"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-95","description":"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"027e81ed-0dd4-4685-ab4d-884aec5bb484","shortName":"Mandiant","dateUpdated":"2024-05-05T14:52:28.089Z"},"references":[{"url":"https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md"},{"url":"https://https://www.cve.org/CVERecord?id=CVE-2023-7101"},{"url":"https://https://metacpan.org/dist/Spreadsheet-ParseExcel"},{"url":"https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc"},{"url":"https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171"},{"url":"http://www.openwall.com/lists/oss-security/2023/12/29/4"},{"url":"https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html"},{"url":"https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/"},{"url":"https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to version 0.66<br>"}],"value":"Update to version 0.66"}],"source":{"discovery":"UNKNOWN"},"title":"Arbitrary Code Execution (ACE) Vulnerability","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2023-7101","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-08-20T03:56:14.026771Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2024-01-02","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7101"}}}],"affected":[{"cpes":["cpe:2.3:a:jmcnamara:spreadsheet\\:\\:parseexcel:0.41:*:*:*:*:perl:*:*"],"vendor":"jmcnamara","product":"spreadsheet\\","versions":[{"status":"affected","version":"0.41","versionType":"custom","lessThanOrEqual":"0.65"}],"defaultStatus":"unknown"},{"cpes":["cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*"],"vendor":"debian","product":"debian_linux","versions":[{"status":"affected","version":"10"}],"defaultStatus":"unknown"},{"cpes":["cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"],"vendor":"fedoraproject","product":"fedora","versions":[{"status":"affected","version":"38"},{"status":"affected","version":"39"}],"defaultStatus":"unknown"},{"cpes":["cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"],"vendor":"fedoraproject","product":"fedora","versions":[{"status":"affected","version":"38"},{"status":"affected","version":"39"}],"defaultStatus":"unknown"}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7101","tags":["government-resource"]}],"timeline":[{"time":"2024-01-02T00:00:00.000Z","lang":"en","value":"CVE-2023-7101 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-21T23:05:29.481Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T08:50:08.227Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md","tags":["x_transferred"]},{"url":"https://https://www.cve.org/CVERecord?id=CVE-2023-7101","tags":["x_transferred"]},{"url":"https://https://metacpan.org/dist/Spreadsheet-ParseExcel","tags":["x_transferred"]},{"url":"https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc","tags":["x_transferred"]},{"url":"https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171","tags":["x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2023/12/29/4","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html","tags":["x_transferred"]},{"url":"https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/","tags":["x_transferred"]},{"url":"https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html","tags":["x_transferred"]}]}]}}