CWE-1236 Detail

CWE-1236

Name

Improper Neutralization of Formula Elements in a CSV File

Status

Incomplete

Published

2020-02-24
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

CWE Description

User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software.

General Informations

Modes Of Introduction

Implementation : The weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Name: Other (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality	Read Application Data, Execute Unauthorized Code or Commands Note: Current versions of Excel warn users of untrusted content.	Low

Observed Examples

References	Description
CVE-2019-12134	Low privileged user can trigger CSV injection through a contact form field value
CVE-2019-4521	Cloud management product allows arbitrary command execution via CSV injection
CVE-2019-17661	CSV injection in content management system via formula code in a first or last name

Potential Mitigations

Phases : Implementation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Phases : Implementation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Phases : Architecture and Design
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-21

CSV Injection
OWASP.
https://owasp.org/www-community/attacks/CSV_Injection

REF-22

Data Extraction to Command Execution CSV Injection
Jamie Rougvie.
https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection

REF-23

The Absurdly Underestimated Dangers of CSV Injection
George Mauer.
http://georgemauer.net/2017/10/07/csv-injection.html

REF-24

Comma Separated Vulnerabilities
James Kettle.
https://rstforums.com/forum/topic/82690-comma-separated-vulnerabilities/

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2019-11-21 +00:00	2020-02-24 +00:00	4.0

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2020-08-20 +00:00	updated Relationships
CWE Content Team	MITRE	2021-03-15 +00:00	updated Description, Potential_Mitigations
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes