Skip to content

Formula Injection in Exported Data

Moderate
SchrodingersGat published GHSA-7rq4-qcpw-74gq Jun 15, 2022

Package

No package listed

Affected versions

< 0.7.2

Patched versions

0.7.2, 0.8.0

Description

Impact

Datasets exported to file (e.g. CSV / XLS) are not sufficiently sanitized, to neutralize potential formula injection

Patches

  • The issue is addressed in the upcoming 0.8.0 release
  • This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release

Workarounds

Users exporting untrusted data should open the files in safe mode (e.g. in Microsoft Excel).

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

No known CVE

Weaknesses

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Learn more on MITRE.

Credits