CVE-2021-41128 – CVE-2021-41128 is a CSV injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-41128?

CVE-2021-41128 has a CVSS score of 9.1 (CRITICAL). CVE-2021-41128 is a CSV injection vulnerability in Hygeia that allows users to embed malicious formulas in exported CSV files. When these files are opened in spreadsheet applications like Excel, the formulas execute, potentially leading to command execution or data theft. All Hygeia users running versions before 1.30.4 are affected.

📋 TL;DR

CVE-2021-41128 is a CSV injection vulnerability in Hygeia that allows users to embed malicious formulas in exported CSV files. When these files are opened in spreadsheet applications like Excel, the formulas execute, potentially leading to command execution or data theft. All Hygeia users running versions before 1.30.4 are affected.

💻 Affected Systems

Products:

Hygeia

Versions: All versions before 1.30.4

Operating Systems: All platforms running Hygeia

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in CSV export functionality for Statistics and BAG MED exports.

📦 What is this software?

Hygeia by Hygeia Project

View all CVEs affecting Hygeia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on victim's machine when malicious CSV is opened in Excel, leading to full system compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

Local command execution on the victim's computer when CSV is opened, potentially stealing credentials, installing malware, or accessing sensitive files.

🟢

If Mitigated

Formula execution blocked by spreadsheet security settings or user awareness, resulting in no impact beyond formula display errors.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening CSV file) but can be delivered via web exports.

🏢 Internal Only: HIGH - Internal users can exploit against other internal users through shared exports.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user access to create malicious CSV exports. CSV injection techniques are well-documented and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.30.4

Vendor Advisory: https://github.com/jshmrtn/hygeia/security/advisories/GHSA-8pwv-jhj2-2369

Restart Required: Yes

Instructions:

1. Backup your Hygeia installation and database. 2. Stop the Hygeia service. 3. Update to version 1.30.4 via package manager or manual installation. 4. Restart the Hygeia service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable CSV exports

all

Temporarily disable CSV export functionality in Hygeia configuration

Modify Hygeia configuration to remove CSV export options

User education and controls

all

Train users to open CSV files in text editors only, not spreadsheet applications

🧯 If You Can't Patch

Implement strict user access controls to limit who can create CSV exports
Deploy endpoint protection that blocks execution of formulas from CSV files

🔍 How to Verify

Check if Vulnerable:

Check Hygeia version: if version < 1.30.4, system is vulnerable. Test CSV export functionality for formula injection.

Check Version:

Check Hygeia web interface or configuration files for version number

Verify Fix Applied:

After updating to 1.30.4, test CSV exports with formula payloads - they should be sanitized or escaped.

📡 Detection & Monitoring

Log Indicators:

Unusual CSV export patterns
Multiple large CSV exports from single user
CSV exports containing formula-like strings

Network Indicators:

CSV file downloads containing =, +, -, @ characters at start of fields

SIEM Query:

source="hygeia" AND (event="csv_export" OR file_type="csv") AND (payload CONTAINS "=" OR payload CONTAINS "+" OR payload CONTAINS "-" OR payload CONTAINS "@")

📊 Metadata

CVE ID: CVE-2021-41128

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE: CWE-74

Published: October 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/beatrichartz/csv/issues/103 Issue Tracking,Third Party Advisory
https://github.com/beatrichartz/csv/pull/104 Third Party Advisory
https://github.com/jshmrtn/hygeia/commit/d917f27432fe84e1c9751222ae55bae36a4dce60 Patch,Third Party Advisory
https://github.com/jshmrtn/hygeia/security/advisories/GHSA-8pwv-jhj2-2369 Patch,Third Party Advisory
https://owasp.org/www-community/attacks/CSV_Injection Third Party Advisory
https://github.com/beatrichartz/csv/issues/103 Issue Tracking,Third Party Advisory
https://github.com/beatrichartz/csv/pull/104 Third Party Advisory
https://github.com/jshmrtn/hygeia/commit/d917f27432fe84e1c9751222ae55bae36a4dce60 Patch,Third Party Advisory
https://github.com/jshmrtn/hygeia/security/advisories/GHSA-8pwv-jhj2-2369 Patch,Third Party Advisory
https://owasp.org/www-community/attacks/CSV_Injection Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41128, you might also want to check these: