CVE-2017-12108 — Integer Overflow or Wraparound in Libxls

CWE-190 — Integer Overflow or Wraparound4 documents4 sources

Severity

8.8HIGHNVD

EPSS

1.1%

top 21.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian R-cran-readxl Libxls Libxls Project Libxls

Timeline

PublishedApr 24

Latest updateMay 13

Description

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5libxls/libxls1.4 readxl package 1.0.0 for R (tested using Microsoft R 4.3.1)

▶NVDlibxls_project/libxls1.4

▶debiandebian/r-cran-readxl< r-cran-readxl 1.0.0-2 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-5hq7-x8gh-4prp: An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1↗2022-05-13

▶

OSV

CVE-2017-12108: An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1↗2018-04-24

▶

📋Vendor Advisories

Debian

CVE-2017-12108: r-cran-readxl - An exploitable integer overflow vulnerability exists in the xls_preparseWorkShee...↗2017

▶