CVE-2019-20184: exported CSV can contain Excel formulas
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
#2082 CVE-2019-20184: exported CSV can contain Excel formulas
https://nvd.nist.gov/vuln/detail/CVE-2019-20184
Verified to still exist in KeePass 2.48.
And why this is a problem?
If you have a field starting with "=", you want to retain that value in a CSV export.
cheers, Paul
Well, I didn't create the CVE, I'm just reporting it that it exists. For example, pkgsrc has been marking KeePass as having an "unspecified security vulnerability", and today I investigated whether that was still reproducible with the latest KeePass. It was.
At least OWASP, MITRE and the BSI seem to agree that interpreting a leading '=' in a CSV file is not a bug in the office applications like Microsoft Word and LibreOffice Calc, but instead the fault is on the side that generates these CSV files.
I disagree with that interpretation though, since the file format is called "Comma-separated values" and not "Comma-separated formulas". But I don't think I can convince these 3 parties that the bug is on the side of the office applications that interpret these values as formulas. I would be surprised if Microsoft were to fix this security issue properly in the next 20 years.
Too bad that there is no ISO standard for CSV files that everyone agrees.
Roland
I don't consider this to be a problem in KeePass, see
https://keepass.info/help/kb/sec_issues.html#expge
Thanks and best regards,
Dominik
Thank you for documenting the reasons. I have removed this alleged KeePass "vulnerability" from pkgsrc's list of vulnerable packages, so it can be downloaded and installed without warnings again.
Great, thanks! :-)