CVE Vulnerabilities

CVE-2022-22689

Improper Neutralization of Formula Elements in a CSV File

Published: Feb 04, 2022 | Modified: Feb 10, 2022
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.

Weakness

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Affected Software

Name Vendor Start Version End Version
Ca_harvest_software_change_manager Broadcom 13.0.3 (including) 13.0.3 (including)
Ca_harvest_software_change_manager Broadcom 13.0.4 (including) 13.0.4 (including)
Ca_harvest_software_change_manager Broadcom 14.0.0 (including) 14.0.0 (including)
Ca_harvest_software_change_manager Broadcom 14.0.1 (including) 14.0.1 (including)

Potential Mitigations

References