NVD Vulnerability Detail

CVE-2024-45290

Summary	PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL. Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component. An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publication Date	Oct. 8, 2024, 6:15 a.m.
Registration Date	Oct. 8, 2024, noon
Last Update	Oct. 17, 2024, 4:54 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:phpoffice:phpspreadsheet::::::::	2.2.0			2.3.0
cpe:2.3:a:phpoffice:phpspreadsheet::::::::	2.0.0			2.1.1
cpe:2.3:a:phpoffice:phpspreadsheet::::::::				1.29.2

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-5gpr-w2p5-6m37		Exploit Patch Third Party Advisory
2	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4		Not Applicable

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-918	サーバサイドリクエストフォージェリ	https://cwe.mitre.org/data/definitions/918.html
2	CWE-36	絶対パストラバーサル	https://cwe.mitre.org/data/definitions/36.html

JVN Vulnerability Information

PHPOffice の PhpSpreadsheet における絶対パストラバーサルに関する脆弱性

Title	PHPOffice の PhpSpreadsheet における絶対パストラバーサルに関する脆弱性
Summary	PHPOffice の PhpSpreadsheet には、絶対パストラバーサルに関する脆弱性、サーバサイドのリクエストフォージェリの脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 7, 2024, midnight
Registration Date	Oct. 17, 2024, 10:37 a.m.
Last Update	Oct. 17, 2024, 10:37 a.m.

Affected System

PHPOffice

PhpSpreadsheet 1.29.2 未満

PhpSpreadsheet 2.0.0 以上 2.1.1 未満

PhpSpreadsheet 2.2.0 以上 2.3.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-45290	https://www.cve.org/CVERecord?id=CVE-2024-45290
National Vulnerability Database (NVD)
2	CVE-2024-45290	https://nvd.nist.gov/vuln/detail/CVE-2024-45290

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-36	https://cwe.mitre.org/data/definitions/36.html
2	CWE-918	https://cwe.mitre.org/data/definitions/918.html

その他

No	Name	URL
関連文書
1	github.com (GHSA-5gpr-w2p5-6m37)	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-5gpr-w2p5-6m37
2	github.com (GHSA-w9xv-qf98-ccq4)	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4

Change Log

No	Changed Details	Date of change
1	[2024年10月17日] 掲載	Oct. 17, 2024, 10:37 a.m.