CVE-2022-23868
📋 TL;DR
RuoYi v4.7.2 contains a CSV injection vulnerability in the admin module that allows attackers to embed malicious formulas in exported Excel log files. When victims open these .xlsx files in spreadsheet applications like Microsoft Excel, the formulas can execute arbitrary commands on the victim's system. This affects administrators and users who download and open log files from vulnerable RuoYi installations.
💻 Affected Systems
- RuoYi
📦 What is this software?
Ruoyi by Ruoyi
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on victim's workstation when malicious Excel file is opened, potentially leading to full system compromise, data theft, or lateral movement within the network.
Likely Case
Local command execution on the victim's machine when Excel automatically executes embedded formulas, allowing attackers to steal credentials, install malware, or access sensitive files.
If Mitigated
Limited impact if Excel security settings block automatic formula execution or if users are trained not to open untrusted Excel files.
🎯 Exploit Status
Exploitation requires access to the admin interface to generate malicious log exports. The vulnerability is well-documented in public issue trackers with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after v4.7.2
Vendor Advisory: https://gitee.com/y_project/RuoYi/issues/I4RBBD
Restart Required: Yes
Instructions:
1. Upgrade RuoYi to the latest version. 2. Verify the fix by checking that CSV/Excel exports properly sanitize formula characters. 3. Restart the application server.
🔧 Temporary Workarounds
Disable log export functionality
allTemporarily disable the log export feature in the admin interface to prevent generation of malicious Excel files.
Modify application configuration to remove log export endpoints or disable the feature in admin panel
Implement output sanitization
allAdd input validation to sanitize formula characters (=, +, -, @) in log data before Excel export.
Implement CSV injection protection by prefixing formula characters with single quote (') or escaping them
🧯 If You Can't Patch
- Restrict access to admin interface to trusted users only using network segmentation and strong authentication
- Educate users to never open Excel files from untrusted sources and configure Excel to disable automatic formula execution
🔍 How to Verify
Check if Vulnerable:
Check if RuoYi version is 4.7.2 or earlier and test if log export generates Excel files with unsanitized formula characters.Check Version:
Check application.properties or version file in RuoYi installation directoryVerify Fix Applied:
After patching, test log export functionality to ensure formula characters are properly escaped or prefixed with single quotes.📡 Detection & Monitoring
Log Indicators:
- Unusual log export requests, especially with crafted log entries containing formula characters
Network Indicators:
- Large number of log export requests from single IP, unusual patterns in admin interface access
SIEM Query:
source="ruoyi-admin" AND (event="log_export" OR url_path="/admin/log/export")