{"id":23639,"date":"2024-10-30T10:00:37","date_gmt":"2024-10-30T09:00:37","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2024-0007\/"},"modified":"2024-11-08T16:06:47","modified_gmt":"2024-11-08T15:06:47","slug":"usd-2024-0007","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2024-0007\/","title":{"rendered":"usd-2024-0007"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2024-0007 | CSV Injection in Jira Cloud<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2024-0007
Product<\/strong>: Jira Cloud
Affected Version<\/strong>: v1001.0.0-SNAPSHOT#100247 (and prior versions)
Vulnerability Type<\/strong>: Improper Neutralization of Formula Elements in a CSV File (CWE 1236)
Security Risk<\/strong>: HIGH
(CVSS 3.1: 8.0 - AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:H\/I:H\/A:H) (CVSS 4.0: 8.5 - AV:N\/AC:L\/AT:N\/PR:L\/UI:A\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N)
Vendor URL<\/strong>: https:\/\/www.atlassian.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Closed as Finding was deemed 'Informational'
CVE Number<\/strong>: Not Assigned<\/p>\n

Desciption<\/h3>\n

Jira Cloud<\/em> by Atlassian<\/em> is a web-based tool for bug and issue tracking and agile project management. According to the vendor's website, over 100,000 customers worldwide use Jira<\/em>.<\/p>\n

Jira Cloud<\/em> is affected by a CSV injection vulnerability, potentially leading to the execution of arbitrary code via a crafted Excel file. A low-privileged remote attacker can create Jira<\/em> issues containing the malicious payload that will be included in the exported CSV file.<\/p>\n

Proof of Concept<\/h3>\n

Low-privileged users can create Jira<\/em> issues containing spreadsheet formulas in the summary<\/strong> field that becomes the title of the issue:<\/p>\n

\"\"<\/p>\n

Jira<\/em> issues can be exported in various formats, including CSV. The excerpt of the exported CSV file below shows that the injected formula =cmd|'\/c calc'!A0<\/strong> is not properly sanitized:<\/p>\n

## Summary,Issue key,Issue id,Issue Type,Status,Project key,Project name,[...]
cmd|'\/c calc'!A0,UAP2-1,44279,Task,To Do,UAP2,usd AG Pentest 2024,[...]<\/pre>\n
Opening the file in Microsoft Excel leads to the execution of the formula that will invoke the calculator application as a proof of concept, if Excel is configured to allow data connections or if the user confirms the corresponding warning message:
\"\"<\/p>\n
Fix<\/h3>\n
Where possible, the set of allowed characters for user input should be restricted using an allowlist.
Additionally, in the generation of spreadsheets, such CSV files, the following sanitization rules should be applied:<\/p>\n