CVE-2021-41270

NameCVE-2021-41270
DescriptionSymfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)jessie, jessie (lts)2.3.21+dfsg-4+deb8u6fixed
stretch (security)2.8.7+dfsg-1.3+deb9u3fixed
stretch (lts), stretch2.8.7+dfsg-1.3+deb9u5fixed
buster (security), buster, buster (lts)3.4.22+dfsg-2+deb10u3fixed
bullseye4.4.19+dfsg-2+deb11u6fixed
bookworm5.4.23+dfsg-1+deb12u2fixed
bookworm (security)5.4.23+dfsg-1+deb12u4fixed
sid, trixie6.4.15+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysourcejessie(not affected)
symfonysourcestretch(not affected)
symfonysourcebuster(not affected)
symfonysourcebullseye4.4.19+dfsg-2+deb11u1
symfonysource(unstable)4.4.19+dfsg-3

Notes

[buster] - symfony <not-affected> (Vulnerable code and support for csv_escape_formulas introduced in 4.1)
[stretch] - symfony <not-affected> (Vulnerable code and support for csv_escape_formulas introduced in 4.1)
https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8 (v4.4.35)
https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas
[jessie] - symfony <not-affected> (Vulnerable code and support for csv_escape_formulas introduced in 4.1)

Search for package or bug name: Reporting problems