CVE-2023-7101

2023-12-2422:15:07

Alpine Linux Development Team

security.alpinelinux.org

cve-2023-7101

arbitrary code execution

perl module

excel files

unvalidated input

number format strings

security vulnerability

unix

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.053 Low

EPSS

Percentile

93.1%

JSON

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchperl-spreadsheet-parseexcel< 0.66-r0UNKNOWN
Alpine3.18-communitynoarchperl-spreadsheet-parseexcel< 0.66-r0UNKNOWN
Alpine3.19-communitynoarchperl-spreadsheet-parseexcel< 0.66-r0UNKNOWN
Alpine3.20-communitynoarchperl-spreadsheet-parseexcel< 0.66-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	perl-spreadsheet-parseexcel	< 0.66-r0	UNKNOWN
Alpine	3.18-community	noarch	perl-spreadsheet-parseexcel	< 0.66-r0	UNKNOWN
Alpine	3.19-community	noarch	perl-spreadsheet-parseexcel	< 0.66-r0	UNKNOWN
Alpine	3.20-community	noarch	perl-spreadsheet-parseexcel	< 0.66-r0	UNKNOWN