GHSA-2XHG-W2G5-W95X
Vulnerability from github – Published: 2021-11-24 21:01 – Updated: 2024-02-05 11:14
VLAI?
Summary
CSV Injection in symfony/serializer
Details
Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.
In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t.
Since then, OWASP added 2 chars in that list: - Tab (0x09) - Carriage return (0x0D)
This makes our previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value.
Resolution
Symfony now follows the OWASP recommendations and use the single quote ' to prefix formulas and adds the prefix to cells starting by \t, \r as well as =, +, - and @.
The patch for this issue is available here for branch 4.4.
Credits
We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.
Severity ?
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/serializer"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/serializer"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.4.35"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.4.35"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41270"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-24T20:04:02Z",
"nvd_published_at": "2021-11-24T19:15:00Z",
"severity": "MODERATE"
},
"details": "Description\n-----------\n\nCSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with `=` is interpreted by the software as a formula and could be abused by an attacker.\n\nIn Symfony 4.1, we\u0027ve added the opt-in `csv_escape_formulas` option in `CsvEncoder`, to prefix all cells starting by `=`, `+`, `-` or `@` by a tab `\\t`. \n\nSince then, OWASP added 2 chars in that list: \n- Tab (0x09)\n- Carriage return (0x0D)\n\nThis makes our previous prefix char (Tab `\\t`) part of the vulnerable characters, and [OWASP suggests](https://owasp.org/www-community/attacks/CSV_Injection) using the single quote `\u0027` for prefixing the value.\n\nResolution\n----------\n\nSymfony now follows the OWASP recommendations and use the single quote `\u0027` to prefix formulas and adds the prefix to cells starting by `\\t`, `\\r` as well as `=`, `+`, `-` and `@`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8) for branch 4.4.\n\nCredits\n-------\n\nWe would like to thank Jake Barwell for reporting the issue and J\u00e9r\u00e9my Deruss\u00e9 for fixing the issue.\n",
"id": "GHSA-2xhg-w2g5-w95x",
"modified": "2024-02-05T11:14:05Z",
"published": "2021-11-24T21:01:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41270"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/pull/44243"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/CVE-2021-41270.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41270.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2021-41270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CSV Injection in symfony/serializer"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…