Spreadsheet-ParseXLSX 0.14
Security Advisories
CVE-2024-22368
The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
- https://github.com/briandfoy/cpan-security-advisory/issues/131
- https://nvd.nist.gov/vuln/detail/CVE-2024-22368
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
- https://github.com/advisories/GHSA-x2hg-844v-frvh
Fixed version: >=0.28
Reported: 2024-01-03
CVE-2024-23525
In default configuration of Spreadsheet::ParseXLSX, whenever we call Spreadsheet::ParseXLSX->new()->parse('user_input_file.xlsx'), we'd be vulnerable for XXE vulnerability if the XLSX file that we are parsing is from user input.
- https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a
- https://github.com/briandfoy/cpan-security-advisory/issues/134
- https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
- https://github.com/advisories/GHSA-cxjh-j6f8-vrmf
- https://nvd.nist.gov/vuln/detail/CVE-2024-23525
Fixed version: >=0.30
Reported: 2024-01-17
Kwalitee Issues
No Core Issues.
- meta_yml_declares_perl_version
-
If you are using Build.PL define the {requires}{perl} = VERSION field. If you are using MakeMaker (Makefile.PL) you should upgrade ExtUtils::MakeMaker to 6.48 and use MIN_PERL_VERSION parameter. Perl::MinimumVersion can help you determine which version of Perl your module needs.
Modules
Name | Abstract | Version | View |
---|---|---|---|
Spreadsheet::ParseXLSX | parse XLSX files | 0.14 | metacpan |