ghsa-2xhg-w2g5-w95x
Vulnerability from github
Published
2021-11-24 21:01
Modified
2024-02-05 11:14
Severity ?
Summary
CSV Injection in symfony/serializer
Details
Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.
In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t.
Since then, OWASP added 2 chars in that list: - Tab (0x09) - Carriage return (0x0D)
This makes our previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value.
Resolution
Symfony now follows the OWASP recommendations and use the single quote ' to prefix formulas and adds the prefix to cells starting by \t, \r as well as =, +, - and @.
The patch for this issue is available here for branch 4.4.
Credits
We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/serializer"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/serializer"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.4.35"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.4.35"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41270"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-24T20:04:02Z",
"nvd_published_at": "2021-11-24T19:15:00Z",
"severity": "MODERATE"
},
"details": "Description\n-----------\n\nCSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with `=` is interpreted by the software as a formula and could be abused by an attacker.\n\nIn Symfony 4.1, we\u0027ve added the opt-in `csv_escape_formulas` option in `CsvEncoder`, to prefix all cells starting by `=`, `+`, `-` or `@` by a tab `\\t`. \n\nSince then, OWASP added 2 chars in that list: \n- Tab (0x09)\n- Carriage return (0x0D)\n\nThis makes our previous prefix char (Tab `\\t`) part of the vulnerable characters, and [OWASP suggests](https://owasp.org/www-community/attacks/CSV_Injection) using the single quote `\u0027` for prefixing the value.\n\nResolution\n----------\n\nSymfony now follows the OWASP recommendations and use the single quote `\u0027` to prefix formulas and adds the prefix to cells starting by `\\t`, `\\r` as well as `=`, `+`, `-` and `@`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8) for branch 4.4.\n\nCredits\n-------\n\nWe would like to thank Jake Barwell for reporting the issue and J\u00e9r\u00e9my Deruss\u00e9 for fixing the issue.\n",
"id": "GHSA-2xhg-w2g5-w95x",
"modified": "2024-02-05T11:14:05Z",
"published": "2021-11-24T21:01:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41270"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/pull/44243"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/CVE-2021-41270.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41270.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2021-41270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CSV Injection in symfony/serializer"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.