CVE-2024-45290: 
PHP vulnerability analysis and mitigation

PHPSpreadsheet, a pure PHP library for reading and writing spreadsheet files, was found to contain a vulnerability (CVE-2024-45290) that allows attackers to construct malicious XLSX files with linked media from external URLs. When such files are opened, PhpSpreadsheet retrieves image size and type by reading file contents if the provided path is a URL. The vulnerability affects versions prior to 1.29.2, 2.0.0 to 2.1.1, and 2.2.0 to 2.3.0 (GitHub Advisory).

The vulnerability stems from the XLSX reader's handling of paths provided in the xl/drawings/rels/drawing1.xml.rels file within the XLSX archive. When processing these files, the reader calls setPath() with the provided path, and if the path is identified as a URL using filtervar(), it attempts to read the file contents. Critically, filter_var considers file:// and php:// URLs as valid. By using specially crafted php://filter URLs, attackers can create an error oracle that leaks file or URL contents character by character. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (GitHub Advisory).

The vulnerability enables attackers to access any file on the server or leak information from arbitrary URLs. This could potentially expose sensitive information such as AWS IAM credentials and other confidential data stored on the system (GitHub Advisory).

The vulnerability has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (GitHub Advisory).