CSV Injection while download csv summary

Bug #2048106 reported by Jeremy Stanley
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
In Progress
High
Tatiana Ovchinnikova
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

Members of the VMT received the following report by E-mail:

1 admin add a user.

2 the user logins and create a compute instance

3 the user change the instance name as "=1+cmd|'/C calc'!A0"

4 admin go to download csv summary

5 admin open the csv and we can see that the calculator is opened.

see https://owasp.org/www-community/attacks/CSV_Injection to fix it

Tags: security
Revision history for this message
Jeremy Stanley (fungi) wrote :
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

My initial impression is that this seems very similar to bug 1842749 which was fixed in public, not under embargo, and which the VMT treated as a hardening opportunity, class D in our report taxonomy: https://security.openstack.org/vmt-process.html#report-taxonomy

Revision history for this message
Jeremy Stanley (fungi) wrote :

I've also subscribed lujiefsi, the original reporter.

Changed in horizon:
assignee: nobody → Tatiana Ovchinnikova (tmazur)
importance: Undecided → Critical
Changed in horizon:
importance: Critical → High
Revision history for this message
Tatiana Ovchinnikova (tmazur) wrote :

The issue is indeed very similar to https://bugs.launchpad.net/bugs/1842749, however the existing fix doesn't fully sanitize the cell values (as per https://owasp.org/www-community/attacks/CSV_Injection).

Revision history for this message
Tatiana Ovchinnikova (tmazur) wrote :
Changed in horizon:
status: New → Confirmed
Revision history for this message
Jeremy Stanley (fungi) wrote :

Thanks for checking. Since we didn't treat bug 1842749 as a vulnerability, and the risks for this are the same or a subset of that report, we should proceed in a similar fashion with this report as well. I'll switch it to public now.

description: updated
information type: Private Security → Public
tags: added: security
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/914156

Changed in horizon:
status: Confirmed → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.