This CVE seems invalid #1
Comments
|
See also projecthamster/hamster#750 for more in-depth discussion. |
|
@matthijskooijman I've read all the other posts you mentioned and I disagree ... The problem here is that hamster exports (note that you said [CVE-2023-36250] Arbitrary code exection possible through CSV import and this is wrong) the activity without any proper escaping. Meaning that I can create localy a malicious payload and send that to any victim. If that victim has formulas enabled that payload will get executed. So if YOUR APPLICATION is creating a csv, tsv file you are responsible for escaping malicious payloads ... |
Can you explain how you achieve that? AFAIK TSV and CSV are pure data file formats. They do not support formulas and anything else. If you use a spreadsheet software that does interpret some data as formula, then the issue is in the spreadsheet software, not in the software that generates the CSV/TSV. To me this CVE claim seems ill-founded. |
If you can use a spreadsheet software to show csv/tsv data and that data can be a formula you have your answer there. I understand your point of view, however if your software is providing and opening an excel on export, your software needs to sanitize the user input
I will not argue with that, thats your opinion, however MITRE reviewed my submission and agreed that this is indeed a vulnerability. Wether you find this is valid or no its up to you. The risk is low because there's need to be some user interaction, however there's still risk. This is where I stand. |
One of the hamster upstream maintainers here. We've heard about this issue through Debian and investigated. As far as we can tell, this is not actually a security issue in hamster (and probably not a security issue at all).
If you disagree, please elaborate on the issue.
If you agree, can we update the CVE accordingly?
The text was updated successfully, but these errors were encountered: