Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1wdnctMjVtZy01OXZ4
Server-side Request Forgery (SSRF) via img tags in reportlab
All versions of package reportlab at time of writing are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation)
Steps to reproduce by Karan Bamal:
- Download and install the latest package of reportlab
- Go to demos -> odyssey -> dodyssey
- In the text file odyssey.txt that needs to be converted to pdf inject
<img src="http://127.0.0.1:5000" valign="top"/> - Create a nc listener
nc -lp 5000 - Run python3 dodyssey.py
- You will get a hit on your nc showing we have successfully proceded to send a server side request
- dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1wdnctMjVtZy01OXZ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 6 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-mpvw-25mg-59vx, CVE-2020-28463
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28463
- https://bugzilla.redhat.com/show_bug.cgi?id=1930417
- https://hg.reportlab.com/hg-public/reportlab/rev/7f2231703dc7
- https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145
- https://lists.fedoraproject.org/archives/list/[email protected]/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/
- https://hg.reportlab.com/hg-public/reportlab/file/f094d273903a/CHANGES.md#l71
- https://www.reportlab.com/docs/reportlab-userguide.pdf
- https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html
- https://github.com/advisories/GHSA-mpvw-25mg-59vx
Affected Packages
pypi:reportlab
Dependent packages: 204Dependent repositories: 13,661
Downloads: 4,748,060 last month
Affected Version Ranges: < 3.5.55
Fixed in: 3.5.55
All affected versions: 3.1.8, 3.1.44, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.5.1, 3.5.2, 3.5.4, 3.5.5, 3.5.6, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.16, 3.5.17, 3.5.18, 3.5.19, 3.5.20, 3.5.21, 3.5.23, 3.5.26, 3.5.28, 3.5.31, 3.5.32, 3.5.34, 3.5.42, 3.5.44, 3.5.45, 3.5.46, 3.5.47, 3.5.48, 3.5.49, 3.5.50, 3.5.51, 3.5.52, 3.5.53, 3.5.54
All unaffected versions: 3.5.55, 3.5.56, 3.5.57, 3.5.58, 3.5.59, 3.5.62, 3.5.63, 3.5.64, 3.5.65, 3.5.66, 3.5.67, 3.5.68, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.6.11, 3.6.12, 3.6.13, 4.0.0, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.2.0