NN-2019:2-01
CSV Injection on node label
Last update: 2024-05-20
| Advisory ID | NN-2019:2-01 |
|---|---|
| Topic | CSV Injection on node label |
| CWE Impact | |
| Issue date | 2019-11-11 |
| Affects | Guardian, CMC < v19.0.4 |
| CVE Name(s) | NA |
| CVSS Details | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVSS Score | 5.2 (CVSS v4.0) 8.0 (CVSS v3.1) |
| CVE Risk Level | Medium (CVSS v4.0) High (CVSS v3.1) |
| Risk Level for Nozomi customers | Medium |
Summary
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. An authenticated malicious user can insert a crafted formula in the node label that can be later executed on another system after another user has downloaded and opened the node list export.
Impact
Guardian/CMC starting before v19.0.4 are affected.
Affected Products
Guardian, CMC < v19.0.4
Workarounds and Mitigations
Not required
Solutions
Upgrade to v19.0.4
Modification History
2019-11-11: Initial revision
2023-09-04: Minor updates to format and metadata to improve the CSAF implementation
2023-11-13: Migrated to CSAF VEX format
2023-11-16: CSAF vers improvements
2024-05-20: Added CVSS v4.0 scoring where applicable
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Jonas Becker of Deloitte GmbH for finding this bug
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.