Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a name such that a csv program can interpret into a formula and gets executed. The malicious user can possibly gain access to a usage report that requires a higher privilege.
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Apps_manager | Pivotal | 666.0.0 (including) | 666.0.36 (excluding) |
| Apps_manager | Pivotal | 667.0.0 (including) | 667.0.22 (excluding) |
| Apps_manager | Pivotal | 668.0.0 (including) | 668.0.21 (excluding) |
| Apps_manager | Pivotal | 669.0.0 (including) | 669.0.13 (excluding) |
| Apps_manager | Pivotal | 670.0.0 (including) | 670.0.7 (excluding) |