NVD Vulnerability Detail

CVE-2024-22368

Summary	The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.
Publication Date	Jan. 9, 2024, 6:15 p.m.
Registration Date	Jan. 10, 2024, 10 a.m.
Last Update	Nov. 21, 2024, 5:56 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx::::::perl::*					0.28

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2024/01/10/2	Exploit Mailing List Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2024/01/10/2	Exploit Mailing List Third Party Advisory
3	https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md	Exploit Mitigation Third Party Advisory
4	https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md	Exploit Mitigation Third Party Advisory
5	https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html
6	https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/
11	https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes	Release Notes
12	https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes	Release Notes
13	https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html
14	https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html

Common Vulnerabilities List

JVN Vulnerability Information

tozt の Perl 用 spreadsheet::parsexlsx における脆弱性

Title	tozt の Perl 用 spreadsheet::parsexlsx における脆弱性
Summary	tozt の Perl 用 spreadsheet::parsexlsx には、不特定の脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	参考情報を参照して適切な対策を実施してください。
Publication Date	Jan. 9, 2024, midnight
Registration Date	Feb. 2, 2024, 12:22 p.m.
Last Update	Feb. 2, 2024, 12:22 p.m.

Affected System

tozt

spreadsheet::parsexlsx 0.28 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-22368	https://www.cve.org/CVERecord?id=CVE-2024-22368
National Vulnerability Database (NVD)
2	CVE-2024-22368	https://nvd.nist.gov/vuln/detail/CVE-2024-22368

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/scap/cwe.html

その他

No	Name	URL
関連文書
1	github.com (parse_xlsx_bomb.md)	https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
2	metacpan.org (changes)	https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes
3	www.openwall.com (oss-security/2024/01/10/2)	http://www.openwall.com/lists/oss-security/2024/01/10/2

Change Log

No	Changed Details	Date of change
1	[2024年02月02日] 掲載	Feb. 2, 2024, 12:21 p.m.