CVE-2024-48877Integer Overflow to Buffer Overflow in Xls2csv

CWE-680Integer Overflow to Buffer OverflowCWE-787Out-of-bounds Write6 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 62.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
CatdocDebian CatdocXls2csv+1 more
Timeline
PublishedJun 2
Latest updateJun 11

Description

A memory corruption vulnerability exists in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

NVDwagner/xls2csv0.95
CVEListV5xls2csv/xls2csv0.95
debiandebian/catdoc< catdoc 1:0.95-6~deb12u1 (bookworm)
Debiancatdoc/catdoc< 1:0.95-4.1+deb11u1+3

🔴Vulnerability Details

2
GHSA
GHSA-2x4q-h3hx-hhh6: A memory corruption vulnerability exists in the Shared String Table Record Parser implementation in xls2csv utility version 02025-06-02
OSV
CVE-2024-48877: A memory corruption vulnerability exists in the Shared String Table Record Parser implementation in xls2csv utility version 02025-06-02

📋Vendor Advisories

1
Debian
CVE-2024-48877: catdoc - A memory corruption vulnerability exists in the Shared String Table Record Parse...2024

🕵️Threat Intelligence

2
Talos
catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities2025-06-11
Talos
catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities2025-06-11
CVE-2024-48877 — Integer Overflow to Buffer Overflow | cvebase