CVE-2021-39022

Vulnerability

IBM Guardium Data Encryption (GDE) versions 4.0.0.0 and 5.0.0.0 save user-provided information into a Comma-Separated Value (CSV) file without neutralizing special elements that could be interpreted as commands when the file is opened by spreadsheet software. Affected components include Guardium Cloud Key Manager (GCKM) 1.10.1 and lower, CipherTrust Tokenization Server (CT-VL) 2.6.3 and lower, and Guardium Data Encryption Server (DSM) 4.0.0.8 and lower [1].

Exploitation

An attacker with high privileges (CVSS: PR:H) can inject malicious formulas or commands into user-provided fields that are written to a CSV file. The attack requires user interaction (UI:R) — the victim must open the crafted CSV file with spreadsheet software such as Microsoft Excel or LibreOffice Calc. When the file is opened, the embedded commands execute automatically, potentially compromising the victim's system [1].

Impact

Successful exploitation allows arbitrary command execution on the victim's machine, leading to high confidentiality impact (e.g., disclosure of sensitive data) and low integrity impact. The CVSS base score is 6.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N), indicating a scope change [1].

Mitigation

IBM recommends upgrading to the latest available version of IBM Guardium Data Encryption (GDE) to remediate this vulnerability. No workarounds or mitigations are available [1]. The fix is included in subsequent releases; users should consult the IBM support page for specific version details.