CVE & CISA-KEV Catalog

CVE-2021-41270

MEDIUM
6.5
CVSS v3
NVD

Description

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.

How to fix

Remediation Available
symfonyDebian
Fixed in:4.4.19+dfsg-2+deb11u1CVE-2021-41270
Fixed in:4.4.19+dfsg-3CVE-2021-41270
Fixed in:4.4.19+dfsg-3CVE-2021-41270
Fixed in:4.4.19+dfsg-3CVE-2021-41270
php-symfonyUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-cacheUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-configUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-consoleUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-debugUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-processUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-property-accessUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-property-infoUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
php-symfony-security-bundleUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-security-coreUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-security-guardUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-serializerUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
php-symfony-var-dumperUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1
symfonyUbuntu
Fixed in:3.4.6+dfsg-1ubuntu0.1+esm2USN-5290-1
Fixed in:4.3.8+dfsg-1ubuntu1+esm1USN-5290-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityNone
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploit Intelligence

1.35%probability of exploitation in 30 days
68thpercentile

Moderate risk: more likely to be exploited than 68% of all known CVEs.

References

Embed a live status badge for CVE-2021-41270
CVE-2021-41270 severity badge

Markdown

[![CVE-2021-41270](https://tridentstack.com/cve/badge/CVE-2021-41270.svg)](https://tridentstack.com/cve/CVE-2021-41270)

HTML

<a href="https://tridentstack.com/cve/CVE-2021-41270"><img src="https://tridentstack.com/cve/badge/CVE-2021-41270.svg" alt="CVE-2021-41270"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.