yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2048106] Re: CSV Injection while download csv summary

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <2048106@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Mar 2024 13:36:32 -0000
Reply-to: Bug 2048106 <2048106@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Thanks for checking. Since we didn't treat bug 1842749 as a
vulnerability, and the risks for this are the same or a subset of that
report, we should proceed in a similar fashion with this report as well.
I'll switch it to public now.

** Description changed:

- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2024-04-03 and will be made
- public by or on that date even if no fix is identified.
- 
  Members of the VMT received the following report by E-mail:
  
  1 admin add a user.
  
  2 the user  logins and create a compute instance
  
  3 the user  change the instance   name as "=1+cmd|'/C calc'!A0"
  
  4 admin go to download  csv summary
  
  5 admin open the csv and we can see that the calculator is opened.
  
  see https://owasp.org/www-community/attacks/CSV_Injection to fix it

** Information type changed from Private Security to Public

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2048106

Title:
  CSV Injection while download csv summary

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Members of the VMT received the following report by E-mail:

  1 admin add a user.

  2 the user  logins and create a compute instance

  3 the user  change the instance   name as "=1+cmd|'/C calc'!A0"

  4 admin go to download  csv summary

  5 admin open the csv and we can see that the calculator is opened.

  see https://owasp.org/www-community/attacks/CSV_Injection to fix it

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2048106/+subscriptions