CVE-2023-7101

Known Exploited
Arbitrary Code Execution (ACE) Vulnerability

Description

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Remediation

Solution:

  • Update to version 0.66

Categories

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 89.98% Top 5%
KEV Since 
Third-Party Advisory openwall.com Third-Party Advisory github.com Third-Party Advisory https: Third-Party Advisory https: Third-Party Advisory metacpan.org
Affected: Douglas Wilson Spreadsheet::ParseExcel
Published at:
Updated at:

References

Link Tags
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md third party advisory
https://https://www.cve.org/CVERecord?id=CVE-2023-7101 third party advisory broken link
https://https://metacpan.org/dist/Spreadsheet-ParseExcel broken link product
https://https://github.com/haile01/perl_spreadsheet_excel_rce_poc third party advisory broken link
https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171 product
http://www.openwall.com/lists/oss-security/2023/12/29/4 mailing list third party advisory patch
https://lists.debian.org/debian-lts-announce/2023/12/msg00025.html mailing list
https://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bc patch broken link
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/ mailing list
https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-7101?
CVE-2023-7101 has been scored as a high severity vulnerability.
How to fix CVE-2023-7101?
To fix CVE-2023-7101: Update to version 0.66
Is CVE-2023-7101 being actively exploited in the wild?
It is confirmed that CVE-2023-7101 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~90% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-7101?
CVE-2023-7101 affects Douglas Wilson Spreadsheet::ParseExcel.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.