CVE-2024-22368 | Vulnerability Database | Aqua Security

The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.

Affected Software

Name	Vendor	Start Version	End Version
Spreadsheet::parsexlsx	Tozt	*	0.28 (excluding)
Libspreadsheet-parsexlsx-perl	Ubuntu	bionic	*
Libspreadsheet-parsexlsx-perl	Ubuntu	focal	*
Libspreadsheet-parsexlsx-perl	Ubuntu	jammy	*
Libspreadsheet-parsexlsx-perl	Ubuntu	lunar	*
Libspreadsheet-parsexlsx-perl	Ubuntu	mantic	*
Libspreadsheet-parsexlsx-perl	Ubuntu	trusty	*
Libspreadsheet-parsexlsx-perl	Ubuntu	upstream	*
Libspreadsheet-parsexlsx-perl	Ubuntu	xenial	*

References

http://www.openwall.com/lists/oss-security/2024/01/10/2
https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
https://lists.debian.org/debian-lts-announce/2024/01/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R7NYWVVZYDZIQC5YEXNHZM6VEE26SJV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNJVC4C5C5V44DNOZ5BHVU53CDXPB2OJ/
https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes
https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-22368
CWE	https://cwe.mitre.org/data/definitions/.html