View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0029130 | mantisbt | security | public | 2021-10-01 05:54 | 2023-09-26 12:04 |
Reporter | Devendra Bhatla | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.25.2 | ||||
Target Version | 2.25.3 | Fixed in Version | 2.25.3 | ||
Summary | 0029130: CVE-2021-43257: CSV Injection with CSV Export Feature | ||||
Description | Application is vulnerable on Viewing issues page. If a User reports an issue to the bug tracker list with a command and later another user who have an access to the bug tracker list export the csv will be affected by csv Injection as the application is not escaping or handling the input. | ||||
Steps To Reproduce | Step 1: Login into the application with any user. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Any update on this ? |
|
Any progress on this ? |
|
Sorry for the delay in responding. I confirm the problem. I am however not sure about what the best way to fix this is. It is easy enough when exporting data to prefix any text starting with The problem is if the CSV needs to be consumed programmatically, then the added |
|
CVE request 1166047 sent. Base of proposed fix:
I'm considering adding a config option, to let users decide whether they want to prefix formulas to avoid CSV injection or not. |
|
CVE-2021-43257 assigned. @Devendra Bhatla any feedback ? |
|
Hi @dregad Thanks for the heads up. Also, thanks for assigning a CVE-ID for the same, it can be observed that the CVE-ID is marked as RESERVED. I would like to request you to make this publicly once the fix/patch is deployed. Thanks and regards |
|
Yes this is the plan, as you can see I have set target version to 2.25.3.
Indeed. This is normal, as CVE-ID publication is delayed until the patch is out.
Of course, once 2.25.3 gets released, I'll notify MITRE and the CVE-ID will become public. |
|
Great. Would you please let me know by when i can expect the version 2.25.3 in order to validate the closure of the reported issue. Thanks and regards |
|
Soon, but I can't commit on a date - depends on my (lack of) spare time. |
|
Hi @dregad, |
|
Sorry this is not forgotten, but I unfortunately do not have time to spend on Mantis at the moment. |
|
Sorry that was resolved by mistake, due to inadvertantly pushing a work-in-progress branch. |
|
@Devendra Bhatla apologies for taking so long to merge this, many thanks for your report and your patience. I will ask MITRE to release the CVE. |
|
MantisBT: master-2.25 7f4534c7 2021-10-29 06:33 Details Diff |
Escape strings to prevent CSV injection Prefixing the string with a tab when it starts with =, -, + or @. Thanks to Devendra Bhatla for reporting the issue. Fixes 0029130, CVE-2021-43257 |
Affected Issues 0029130 |
|
mod - core/csv_api.php | Diff File | ||
MantisBT: master-2.25 99eb8d41 2021-10-29 13:23 Details Diff |
New config $g_csv_injection_protection Lets the user decide whether they want to prefix formulas to avoid CSV injection or not. Fixes 0029130 |
Affected Issues 0029130 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/csv_api.php | Diff File | ||
mod - docbook/Admin_Guide/en-US/config/misc.xml | Diff File |