CVE-2021-41128 : Security Advisory and Response
Hygeia application version > 1.11.0, < 1.30.4 is vulnerable to CSV Injection, allowing malicious code execution. Learn about the impact, affected systems, exploitation, and mitigation steps.
Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions, all CSV Exports contain a CSV Injection Vulnerability that allows malicious code execution.
Understanding CVE-2021-41128
What is CVE-2021-41128?
Hygeia application versions > 1.11.0, < 1.30.4 are affected by a CSV Injection Vulnerability due to lack of validation of formula fields in CSV Exports. An attacker can exploit this to introduce and execute malicious code.
The Impact of CVE-2021-41128
This vulnerability has a CVSS base score of 9.1 (Critical severity) with high confidentiality impact, low integrity impact, and low availability impact. It requires low privileges and no user interaction, affecting the product's scope.
Technical Details of CVE-2021-41128
Vulnerability Description
Users can submit formulas as exported fields, leading to code execution upon file ingestion without proper validation or sanitization, enabling attackers to craft malicious code.
Affected Systems and Versions
- Product: Hygeia
- Vendor: jshmrtn
- Affected Versions: > 1.11.0, < 1.30.4
Exploitation Mechanism
- Attack Complexity: Low
- Attack Vector: Network
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Mitigation and Prevention
Immediate Steps to Take
- Upgrade the Hygeia package to version 1.30.4 to mitigate the vulnerability.
Long-Term Security Practices
- Validate and sanitize user inputs to prevent code injection vulnerabilities.
- Regularly update software to patch known security issues.
- Educate users about the risks of executing code from untrusted sources.
Patching and Updates
- The vulnerability has been resolved in version 1.30.4. All users are advised to upgrade their package to this or a newer version.