Tempo Ideas

Hi Team,

As mentioned here: TCS-90488, as part of our Penetration Testing result we had observed the below affected component in JIRA

It is possible to inject spreadsheet formulae into certain fields within the application that can be executed as formula when
the CSV files are exported.

CSV injection attacks occurs when an attacker crafts a CSV file with malicious code, typically in the form of formulas, that are executed by a vulnerable application when the file is imported. this can lead to the execution of arbitrary code or the
theft of sensitive data.
In older versions of Microsoft excel or if the user has re-enabled the trust centre setting, a security warning is launched, and the user must manually enable the content within the application. As the data comes from a trusted source, it is possible that users will ignore this security warning and enable all content within the spreadsheet. In this case, there are many potential insertion points in the Jira web application which accept input in the form of formulae, and similarly many other locations where a CSV file can be dynamically generated and exported, which subsequently contain these formulae.

In one example the "full name" of any applicable user will be used, which can be changed at-will in the "profile" page for any user. Below, a screenshot shows that the application accepts a formula as the name, which is a simple proof of concept payload designed to open a calculator upon execution. ( Try checking for the other custom fields with the formula and export may give the same kind of behaviour)

With the payload being set, one of many CSV file export functionalities was utilised, which in this case, was the "Time Tracker Flexible Report" tool. Here, the tool exports various information about time worked on a given project, and in the resulting CSV file, the user's full name (as configured with the payload shown above) is directly incorporated. The screenshot below depicts one example of exporting a CSV File

The resulting downloaded CSV file, when opened in a program such as Microsoft Excel, will cause the user to be prompted with security warnings and/or notifications pertaining to Dynamic Data Exchange (DDE), if it is not already enabled. If the user continues regardless of these warnings, then the command can be executed. The following screenshots depict this process

So the expectation here is,
JIRA to Perform appropriate encoding of special characters such as (=) that are used in formulas. Alternately consider adding (') or a space before cells starting with an equals character (=) to prevent the data contained within the cell from being interpreted as a formula.