Vulnerability Name:

CVE-2021-41270 (CCN-214072)

Assigned:2021-11-24
Published:2021-11-24
Updated:2021-12-15
Summary:Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-1236
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-41270

Source: XF
Type: UNKNOWN
symfony-cve202141270-code-exec(214072)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/symfony/symfony/pull/44243

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/symfony/symfony/releases/tag/v5.3.12

Source: CCN
Type: symfony GIT Repository
Prevent CSV Injection via formulas

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-10fd47b32d

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-0294e8ca24

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-41270

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 4.1.0 and < 4.4.35)
  • OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 5.0.0 and < 5.3.12)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sensiolabs:symfony:5.3.11:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sensiolabs symfony *
    sensiolabs symfony *
    fedoraproject fedora 34
    fedoraproject fedora 35
    sensiolabs symfony 5.3.11