CVE-2021-41270: Improper Neutralization of Formula Elements in a CSV File
(updated )
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in csv_escape_formulas option in the CsvEncoder, to prefix all cells starting with =, +, - or @ with a tab \t. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value. Starting with, Symfony now follows the OWASP recommendations and uses the single quote ' to prefix formulas and add the prefix to cells starting by \t, \r as well as =, +, - and @.
References
- github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
- github.com/symfony/symfony/pull/44243
- github.com/symfony/symfony/releases/tag/v5.3.12
- github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/
- nvd.nist.gov/vuln/detail/CVE-2021-41270
Detect and mitigate CVE-2021-41270 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →