CISA adds two known exploited vulnerabilities to catalogue - 20240105001

Overview

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

What is the vulnerability?

CVE ID	CVSS Score	Description
CVE-2023-7024	8.8	Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2023-7101	N.A	Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

What is vulnerable?

The vulnerability affects the following products:

• Google Chrome Versions before 120.0.6099.129
• ParseExcel Versions before 0.66

Note: CVE-2023-7024 vulnerability could impact other chromium based browsers using WebRTC, and is not limited to Google Chrome.

What has been observed?

There is evidence of active exploitation of the vulnerabilities listed above.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

• It is highly recommended to update to the following versions as soon as possible:
  • Google Chrome Version 120.0.6099.129
  • ParseExcel 0.66
  • Other chromium based browsers should be updated to their latest available versions

Additional References

• CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
• NVD - CVE-2023-7024 (nist.gov)
• NVD - CVE-2023-7101 (nist.gov)
• CISA warns of actively exploited bugs in Chrome and Excel parsing library (bleepingcomputer.com)