CVE-2021-41270: Improper Neutralization of Formula Elements in a CSV File
(updated )
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in csv_escape_formulas
option in the CsvEncoder
, to prefix all cells starting with =
, +
, -
or @
with a tab \t
. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab \t
) part of the vulnerable characters, and OWASP suggests using the single quote '
for prefixing the value. Starting with, Symfony now follows the OWASP recommendations and uses the single quote '
to prefix formulas and add the prefix to cells starting by \t
, \r
as well as =
, +
, -
and @
.
References
- github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
- github.com/symfony/symfony/pull/44243
- github.com/symfony/symfony/releases/tag/v5.3.12
- github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/
- nvd.nist.gov/vuln/detail/CVE-2021-41270
Detect and mitigate CVE-2021-41270 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →