CVE-2022-1544 - OpenCVE

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Luya	Yii-helpers

Configuration 1 [-]

cpe:2.3:a:luya:yii-helpers:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb	Patch Third Party Advisory
https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-05-01T11:45:12

Updated: 2022-05-01T11:45:12

Reserved: 2022-05-01T00:00:00

Link: CVE-2022-1544

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-01T12:15:07.787

Modified: 2022-05-12T02:31:40.930

Link: CVE-2022-1544

JSON object: View

Redhat Information

No data.

CWE

CWE-1236

{"containers": {"cna": {"affected": [{"product": "luyadev/yii-helpers", "vendor": "luyadev", "versions": [{"lessThan": "1.2.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-01T11:45:12", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"}], "source": {"advisory": "fa6d6e75-bc7a-40f6-9bdd-2541318912d4", "discovery": "EXTERNAL"}, "title": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in luyadev/yii-helpers", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-1544", "STATE": "PUBLIC", "TITLE": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in luyadev/yii-helpers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "luyadev/yii-helpers", "version": {"version_data": [{"version_affected": "<", "version_value": "1.2.1"}]}}]}, "vendor_name": "luyadev"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"}, {"name": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb", "refsource": "MISC", "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"}]}, "source": {"advisory": "fa6d6e75-bc7a-40f6-9bdd-2541318912d4", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-1544", "datePublished": "2022-05-01T11:45:12", "dateReserved": "2022-05-01T00:00:00", "dateUpdated": "2022-05-01T11:45:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:luya:yii-helpers:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A398AA6-A3D5-4D58-8B5C-DCD177FFE04C", "versionEndExcluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data."}, {"lang": "es", "value": "Una Inyecci\u00f3n de f\u00f3rmulas/inyecci\u00f3n de CSV debido a una Neutralizaci\u00f3n Inapropiada de elementos de f\u00f3rmulas en el archivo CSV en el repositorio de GitHub luyadev/yii-helpers versiones anteriores a 1.2.1. Una explotaci\u00f3n con \u00e9xito puede conllevar a impactos como una inyecci\u00f3n de comandos del lado del cliente, una ejecuci\u00f3n de c\u00f3digo o una exfiltraci\u00f3n remota de datos confidenciales contenidos"}], "id": "CVE-2022-1544", "lastModified": "2022-05-12T02:31:40.930", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-01T12:15:07.787", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1236"}], "source": "security@huntr.dev", "type": "Secondary"}]}