CVE - CVE-2021-41270

CVE-ID
CVE-2021-41270	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x URL:https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x FEDORA:FEDORA-2021-0294e8ca24 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/ FEDORA:FEDORA-2021-10fd47b32d URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/ MISC:https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8 URL:https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8 MISC:https://github.com/symfony/symfony/pull/44243 URL:https://github.com/symfony/symfony/pull/44243 MISC:https://github.com/symfony/symfony/releases/tag/v5.3.12 URL:https://github.com/symfony/symfony/releases/tag/v5.3.12
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20210915	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20210915)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)