CVE-2021-38873

Vulnerability

IBM Planning Analytics 2.0 is vulnerable to CSV Injection (CVE-2021-38873) due to improper validation of CSV file contents. The vulnerability resides in the Planning Analytics Workspace component. Affected versions include IBM Planning Analytics 2.0 prior to the release of Planning Analytics Local v2.0 - Planning Analytics Workspace Release 70 [1].

Exploitation

An attacker can craft a malicious CSV file containing formula injection payloads (e.g., cells beginning with =, +, -, or @). If the CSV file is processed or opened by Planning Analytics, the injected formulas may be executed, leading to arbitrary command execution. No authentication is required, but user interaction (such as opening the CSV) is likely needed.

Impact

Successful exploitation allows a remote attacker to execute arbitrary commands on the system with the privileges of the user running Planning Analytics, potentially leading to full system compromise.

Mitigation

IBM has addressed this vulnerability in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 70 [1]. Users should upgrade to this or a later version. As a workaround, avoid opening untrusted CSV files in Planning Analytics.