CVE-2021-41270 – symfony/serializer

Package

Manager: composer
Name: symfony/serializer
Vulnerable Version: >=5.0.0 <5.3.12 || >=4.1.0 <4.4.35

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00871 pctl0.74352

Details

CSV Injection in symfony/serializer Description ----------- CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with `=` is interpreted by the software as a formula and could be abused by an attacker. In Symfony 4.1, we've added the opt-in `csv_escape_formulas` option in `CsvEncoder`, to prefix all cells starting by `=`, `+`, `-` or `@` by a tab `\t`. Since then, OWASP added 2 chars in that list: - Tab (0x09) - Carriage return (0x0D) This makes our previous prefix char (Tab `\t`) part of the vulnerable characters, and [OWASP suggests](https://owasp.org/www-community/attacks/CSV_Injection) using the single quote `'` for prefixing the value. Resolution ---------- Symfony now follows the OWASP recommendations and use the single quote `'` to prefix formulas and adds the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8) for branch 4.4. Credits ------- We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.

Metadata

Created: 2021-11-24T21:01:23Z
Modified: 2024-02-05T11:14:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-2xhg-w2g5-w95x/GHSA-2xhg-w2g5-w95x.json
CWE IDs: ["CWE-1236"]
Alternative ID: GHSA-2xhg-w2g5-w95x
Finding: F090
Auto approve: 1