Lucene search

GitHub_MCVELIST:CVE-2021-41128

HistoryOct 06, 2021 - 5:35 p.m.

CVE-2021-41128 CSV Injection Vulnerability in Hygeia

2021-10-0617:35:12

CWE-74

GitHub_M

www.cve.org

hygeia application

csv injection

vulnerability

statistics

bag med

validation

sanitization

malicious code

resolution

upgrade

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

AI Score

9.5

Confidence

High

EPSS

0.003

Percentile

71.5%

JSON

Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get executed upon ingestion of the exported file. There is no validation or sanitization of these formula fields and so malicious may construct malicious code. This vulnerability has been resolved in version 1.30.4. There are no workarounds and all users are advised to upgrade their package.

CNA Affected

[
  {
    "product": "hygeia",
    "vendor": "jshmrtn",
    "versions": [
      {
        "status": "affected",
        "version": "> 1.11.0, < 1.30.4"
      }
    ]
  }
]

References

github.com/beatrichartz/csv/issues/103

github.com/beatrichartz/csv/pull/104

github.com/jshmrtn/hygeia/commit/d917f27432fe84e1c9751222ae55bae36a4dce60

github.com/jshmrtn/hygeia/security/advisories/GHSA-8pwv-jhj2-2369

owasp.org/www-community/attacks/CSV_Injection