CVE-2024-22368: 
Linux Debian vulnerability analysis and mitigation

The Spreadsheet::ParseXLSX package before version 0.28 for Perl contains a vulnerability (CVE-2024-22368) that can lead to an out-of-memory condition during parsing of crafted XLSX documents. The vulnerability was discovered by Đình Hải Lê in October 2023 and was publicly disclosed in January 2024. The issue affects the memoize implementation which lacks appropriate constraints on merged cells (Security MetaCPAN, NVD).

The vulnerability occurs due to the way the module handles merged cells in XLSX documents. An attacker could create a spreadsheet file and set a merged cell to include all possible cells in the spreadsheet. Because of the implementation's lack of constraints, it would allocate excessive amounts of RAM to track the merged cell. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD, Security MetaCPAN).

When exploited, this vulnerability can cause a denial of service condition through memory exhaustion. Simply uploading a specially crafted spreadsheet to a web application using the vulnerable module would cause a denial of service as all memory on the server would be consumed (Security MetaCPAN).

The vulnerability has been fixed in Spreadsheet::ParseXLSX version 0.28 and later. Users are strongly advised to upgrade to the latest version. The fix was implemented by Michael Daum (NUDDLEGG) who became the new maintainer of the module. Various Linux distributions have also released security updates to address this vulnerability, including Debian, Ubuntu, and Fedora (Security MetaCPAN, Debian LTS).