CVE-2021-41270Improper Neutralization of Formula Elements in a CSV File in Symfony

CWE-1236Improper Neutralization of Formula Elements in a CSV File8 documents6 sources
Severity
6.5MEDIUMNVD
OSV5.3
EPSS
0.9%
top 24.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
SymfonySensiolabs SymfonySymfony Serializer+1 more
Timeline
PublishedNov 24
Latest updateAug 24

Description

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

Packagistsymfony/serializer5.0.05.3.12+1
Packagistsymfony/symfony4.1.04.4.35+1
NVDsensiolabs/symfony4.1.04.4.35+1
Debiansymfony/symfony< 4.4.19+dfsg-2+deb11u1+3
Ubuntusymfony/symfony< 3.4.6+dfsg-1ubuntu0.1+esm2+1

Also affects: Fedora 34, 35

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
symfony vulnerabilities2022-08-24
CVEList
CSV Injection in Symfony2021-11-24
OSV
CVE-2021-41270: Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of re2021-11-24
OSV
CSV Injection in symfony/serializer2021-11-24
GHSA
CSV Injection in symfony/serializer2021-11-24

📋Vendor Advisories

2
Ubuntu
Symfony vulnerabilities2022-08-24
Debian
CVE-2021-41270: symfony - Symfony/Serializer handles serializing and deserializing data structures for Sym...2021
CVE-2021-41270 — Sensiolabs Symfony vulnerability | cvebase