cbcvebase.
CVE-2023-7101
published 2023-12-24

CVE-2023-7101: Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE)…

PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-01-23
Exploited in the wild
EPSS
16.70%
96.6th percentile
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianlibspreadsheet-parseexcel-perl< libspreadsheet-parseexcel-perl 0.6500-4~deb12u1 (bookworm)libspreadsheet-parseexcel-perl 0.6500-4~deb12u1 (bookworm)
douglas_wilsonspreadsheet_parseexcel
fedoraprojectfedora
fedoraprojectfedora
jmcnamaraspreadsheet<= 0.65

Detection & IOCsextracted from sources · hover to see the quote

filenameUtility.pm
otherMalicious BIFF8 XLS file with payload embedded in a FORMAT record
  • Detect exploitation by monitoring for eval() execution triggered by Excel Number format strings in Spreadsheet::ParseExcel (Utility.pm). Malicious payloads are injected via FORMAT records in BIFF8 XLS files and must not contain ']' or single-quote characters.
  • Hunt for XLS email attachments delivered to Barracuda ESG appliances (versions 5.1.3.001 through 9.2.1.001) that trigger Amavis/Spreadsheet::ParseExcel processing — these are the attack vector for CVE-2023-7102/CVE-2023-7101 exploitation.
  • Post-exploitation: look for SeaSpy and Saltwater malware artifacts on ESG appliances, consistent with UNC4841 (China-nexus) TTPs observed starting November 2023.
  • The exploit payload injected into the XLS FORMAT record must avoid ']' (terminates format string) and single quotes (breaks Perl eval injection) — use these constraints to craft detection signatures for anomalous FORMAT record content in XLS files.
  • ·CVE-2023-7101 tracks the vulnerability in the upstream open-source Spreadsheet::ParseExcel library (fixed in version 0.66), while CVE-2023-7102 tracks the specific Barracuda ESG implementation. Organizations using the library in their own products must patch independently.
  • ·CISA's KEV remediation deadline was January 23, 2024 for federal agencies. The vulnerability affects a common open-source component used across many products — vendor-specific patching status must be checked individually.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.