CVE-2023-7101
published 2023-12-24CVE-2023-7101: Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE)…
PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-01-23
Exploited in the wild
EPSS
16.70%
96.6th percentile
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | libspreadsheet-parseexcel-perl | < libspreadsheet-parseexcel-perl 0.6500-4~deb12u1 (bookworm) | libspreadsheet-parseexcel-perl 0.6500-4~deb12u1 (bookworm) |
| douglas_wilson | spreadsheet_parseexcel | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| jmcnamara | spreadsheet | <= 0.65 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation by monitoring for eval() execution triggered by Excel Number format strings in Spreadsheet::ParseExcel (Utility.pm). Malicious payloads are injected via FORMAT records in BIFF8 XLS files and must not contain ']' or single-quote characters. ↗
- →Hunt for XLS email attachments delivered to Barracuda ESG appliances (versions 5.1.3.001 through 9.2.1.001) that trigger Amavis/Spreadsheet::ParseExcel processing — these are the attack vector for CVE-2023-7102/CVE-2023-7101 exploitation. ↗
- →Post-exploitation: look for SeaSpy and Saltwater malware artifacts on ESG appliances, consistent with UNC4841 (China-nexus) TTPs observed starting November 2023. ↗
- →The exploit payload injected into the XLS FORMAT record must avoid ']' (terminates format string) and single quotes (breaks Perl eval injection) — use these constraints to craft detection signatures for anomalous FORMAT record content in XLS files. ↗
- ·CVE-2023-7101 tracks the vulnerability in the upstream open-source Spreadsheet::ParseExcel library (fixed in version 0.66), while CVE-2023-7102 tracks the specific Barracuda ESG implementation. Organizations using the library in their own products must patch independently. ↗
- ·CISA's KEV remediation deadline was January 23, 2024 for federal agencies. The vulnerability affects a common open-source component used across many products — vendor-specific patching status must be checked individually. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Spreadsheet::ParseExcel vulnerability
vendor_ubuntu·2024-05-21
CVE-2023-7101 Spreadsheet::ParseExcel vulnerability
Title: Spreadsheet::ParseExcel vulnerability
Summary: Spreadsheet::ParseExcel could possibly run commands if it processed a specially crafted file.
Le Dinh Hai discovered that Spreadsheet::ParseExcel was passing unvalidated
input from a file into a string-type "eval". An attacker could craft a
malicious file to achieve arbitrary code execution.
Instructions: In general, a standard system update will make all the necessary changes.
CISA
Spreadsheet::ParseExcel Remote Code Execution Vulnerability
cisa·2024-01-02·CVSS 7.8
CVE-2023-7101 [HIGH] CWE-95 Spreadsheet::ParseExcel Remote Code Execution Vulnerability
Vulnerability: Spreadsheet::ParseExcel Remote Code Execution Vulnerability
Affected: Spreadsheet::ParseExcel Spreadsheet::ParseExcel
Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://metacpan.org/dist/Spreadsheet-ParseExcel and Ba
Debian
CVE-2023-7101: libspreadsheet-parseexcel-perl - Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel fil...
vendor_debian·2023·CVSS 7.8
CVE-2023-7101 [HIGH] CVE-2023-7101: libspreadsheet-parseexcel-perl - Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel fil...
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
Scope: local
bookworm: resolved (fixed in 0.6500-4~deb12u1)
bullseye: resolved (fixed in 0.6500-1.1+deb11u1)
forky: resolved (fixed in 0.6500-4)
sid: resolved (fixed in 0.6500-4)
trixie: resolved (fixed in 0.6500-4)
GHSA
GHSA-3c85-mx4x-435c: Spreadsheet::ParseExcel version 0
ghsa_unreviewed·2023-12-25
CVE-2023-7101 [HIGH] CWE-94 GHSA-3c85-mx4x-435c: Spreadsheet::ParseExcel version 0
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
OSV
CVE-2023-7101: Spreadsheet::ParseExcel version 0
osv·2023-12-24·CVSS 7.8
CVE-2023-7101 [HIGH] CVE-2023-7101: Spreadsheet::ParseExcel version 0
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
VulnCheck
Spreadsheet::ParseExcel Remote Code Execution Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-7101 [HIGH] CWE-95 Spreadsheet::ParseExcel Remote Code Execution Vulnerability
Spreadsheet::ParseExcel Remote Code Execution Vulnerability
Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.
Affected: Spreadsheet::ParseExcel Spreadsheet::ParseExcel
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/barracuda-email-security-gateway-esg-malicious-activity-additional-indicators-compromise-released; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2024
No detection rules found.
Rapid7
Metasploit Wrap Up 05/22/2026
blogs_rapid7·2026-05-22·CVSS 9.8
CVE-2026-20182 [CRITICAL] Metasploit Wrap Up 05/22/2026
## Another week, another authentication bypass
Our humble Metasploit weekly(ish) blog has been blessed with a new network component vulnerability. The dynamic duo of @sfewer-r7 and @jburgess-r7 have discovered and authored the admin/networking/cisco_sdwan_vhub_auth_bypass module for CVE-2026-20182, a vulnerability gracing the Cisco Catalyst SD-WAN Controller. The devices, whose purpose is to control a software-defined (SD) wide-area-network (WAN) was unfortunately missing an extra A for authentication. An oversight that Cisco has duly patched.
Elsewhere this week, the HUSTOJ online judge platform has been caught failing to judge its own zip files (CVE-2026-24479), courtesy of a zip-slip RCE module from LoTuS and friends. Next, @Alpenlol has weaponized the small matter of Barracuda's Emai
Bleepingcomputer
CISA warns of actively exploited bugs in Chrome and Excel parsing library
blogs_bleepingcomputer·2024-01-03·CVSS 8.8
[HIGH] CISA warns of actively exploited bugs in Chrome and Excel parsing library
## CISA warns of actively exploited bugs in Chrome and Excel parsing library
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities to the Known Exploited Vulnerabilities catalog, a recently patched flaw in Google Chrome and a bug affecting an open-source Perl library for reading information in an Excel file called Spreadsheet::ParseExcel.
America's cyber defense agency has given federal agencies until January 23 to mitigate the two security issues tracked as CVE-2023-7024 and CVE-2023-7101 according to vendor instructions or to stop using the vulnerable products.
## Spreadsheet::ParseExcel RCE
The first issue that CISA added to its Known Exploited Vulnerabilities (KEV) is CVE-2023-7101 , a remote code execution vulnerability that affect
Bleepingcomputer
Barracuda fixes new ESG zero-day exploited by Chinese hackers
blogs_bleepingcomputer·2023-12-27·CVSS 9.4
CVE-2023-7102 [CRITICAL] Barracuda fixes new ESG zero-day exploited by Chinese hackers
## Barracuda fixes new ESG zero-day exploited by Chinese hackers
## Sergiu Gatlan
Network and email security firm Barracuda says it remotely patched all active Email Security Gateway (ESG) appliances on December 21 against a zero-day bug exploited by UNC4841 Chinese hackers.
The company deployed a second wave of security updates a day later on already compromised ESG appliances where the attackers deployed SeaSpy and Saltwater malware.
Disclosed on Christmas Eve and tracked as CVE-2023-7102 , the zero-day is due to a weakness in the Spreadsheet::ParseExcel third-party library used by the Amavis virus scanner running on Barracuda ESG appliances.
Attackers can exploit the flaw to execute arbitrary code on unpatched ESG appliances through parameter injection.
The company also filed the
http://www.openwall.com/lists/oss-security/2023/12/29/4https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.mdhttps://https://github.com/haile01/perl_spreadsheet_excel_rce_pochttps://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bchttps://https://metacpan.org/dist/Spreadsheet-ParseExcelhttps://https://www.cve.org/CVERecord?id=CVE-2023-7101https://lists.debian.org/debian-lts-announce/2023/12/msg00025.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/https://lists.fedoraproject.org/archives/list/[email protected]/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.htmlhttp://www.openwall.com/lists/oss-security/2023/12/29/4https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.mdhttps://https://github.com/haile01/perl_spreadsheet_excel_rce_pochttps://https://github.com/jmcnamara/spreadsheet-parseexcel/commit/bd3159277e745468e2c553417b35d5d7dc7405bchttps://https://metacpan.org/dist/Spreadsheet-ParseExcelhttps://https://www.cve.org/CVERecord?id=CVE-2023-7101https://lists.debian.org/debian-lts-announce/2023/12/msg00025.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/IFEHKULQRVXHIV7XXK2RGD4VQN6Y4CV5/https://lists.fedoraproject.org/archives/list/[email protected]/message/M2FIWDHRYTAAQLGM6AFOZVM7AFZ4H2ZR/https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-7101
2023-12-24
Published
2024-01-02
Added to CISA KEV
Exploited in the wild