ghas-to-csv vulnerable to Improper Neutralization of Formula Elements in a CSV File

Impact

This GitHub Action creates a CSV file without sanitizing the output of the APIs. If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program. The data flow looks like this 👇🏻

graph TD
    A(Repository) -->|developer dismissal, other data input| B(GitHub Advanced Security data)
    B -->|ghas-to-csv| C(CSV file)
    C -->|spreadsheet program| D(endpoint executes potentially malicious code)

Patches

Please use version v1 or later. That tag moves from using csv to defusedcsv to mitigate this problem.

Workarounds

There is no workaround. Please upgrade to using the latest tag, v1 (or later).

References

CWE-1236 information from MITRE
CSV injection information from OWASP
CodeQL query for CWE-1236 in Python here
PyPI site for defusedcsv here

For more information

If you have any questions or comments about this advisory:

Open an issue in this repository here

References

some-natalie published to advanced-security/ghas-to-csv Sep 16, 2022

Published to the GitHub Advisory Database Sep 16, 2022

Reviewed Sep 16, 2022

Published by the National Vulnerability Database Sep 17, 2022

Last updated Jan 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits