Spreadsheet-ParseXLSX 0.26
Security Advisories
CVE-2024-22368
The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
- https://github.com/briandfoy/cpan-security-advisory/issues/131
- https://nvd.nist.gov/vuln/detail/CVE-2024-22368
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
- https://github.com/advisories/GHSA-x2hg-844v-frvh
Fixed version: >=0.28
Reported: 2024-01-03
CVE-2024-23525
In default configuration of Spreadsheet::ParseXLSX, whenever we call Spreadsheet::ParseXLSX->new()->parse('user_input_file.xlsx'), we'd be vulnerable for XXE vulnerability if the XLSX file that we are parsing is from user input.
- https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a
- https://github.com/briandfoy/cpan-security-advisory/issues/134
- https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
- https://github.com/advisories/GHSA-cxjh-j6f8-vrmf
- https://nvd.nist.gov/vuln/detail/CVE-2024-23525
Fixed version: >=0.30
Reported: 2024-01-17