{
  "schema_version": "1.4.0",
  "id": "GHSA-634p-93h9-92vh",
  "modified": "2022-09-19T20:20:23Z",
  "published": "2022-09-16T22:06:55Z",
  "aliases": [
    "CVE-2022-39217"
  ],
  "summary": "ghas-to-csv vulnerable to Improper Neutralization of Formula Elements in a CSV File",
  "details": "### Impact\n\nThis GitHub Action creates a CSV file without sanitizing the output of the APIs.  If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program.  The data flow looks like this 👇🏻 \n\n```mermaid\ngraph TD\n    A(Repository) -->|developer dismissal, other data input| B(GitHub Advanced Security data)\n    B -->|ghas-to-csv| C(CSV file)\n    C -->|spreadsheet program| D(endpoint executes potentially malicious code)\n```\n\n### Patches\n\nPlease use version `v1` or later.  That tag moves from using `csv` to `defusedcsv` to mitigate this problem.\n\n### Workarounds\n\nThere is no workaround.  Please upgrade to using the latest tag, `v1` (or later).\n\n### References\n\n* CWE-1236 information from [MITRE](https://cwe.mitre.org/data/definitions/1236.html)\n* CSV injection information from [OWASP](https://owasp.org/www-community/attacks/CSV_Injection)\n* CodeQL query for CWE-1236 in Python [here](https://github.com/github/codeql/tree/main/python/ql/src/experimental/Security/CWE-1236)\n* PyPI site for `defusedcsv` [here](https://pypi.org/project/defusedcsv/)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in this repository [here](https://github.com/some-natalie/ghas-to-csv/issues)\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "some-natalie/ghas-to-csv"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/security/advisories/GHSA-634p-93h9-92vh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/issues/19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/pull/20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/commit/d0b521928fa734513b5cd9c7d9d8e09db50e884a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/some-natalie/ghas-to-csv"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T22:06:55Z",
    "nvd_published_at": "2022-09-17T00:15:00Z"
  }
}