GHSA-mpvw-25mg-59vx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mpvw-25mg-59vx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-mpvw-25mg-59vx/GHSA-mpvw-25mg-59vx.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-mpvw-25mg-59vx
- Aliases
-
- CVE-2020-28463
- PYSEC-2021-146
- SNYK-PYTHON-REPORTLAB-1022145
- Published
- 2021-03-29T16:32:27Z
- Modified
- 2024-10-26T18:46:43.817127Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Server-side Request Forgery (SSRF) via img tags in reportlab
- Details
-
All versions of package reportlab at time of writing are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation)
Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject
<img src="http://127.0.0.1:5000" valign="top"/>4. Create a nc listenernc -lp 50005. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF - Database specific
{ "nvd_published_at": "2021-02-18T16:15:00Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-03-19T22:04:29Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-28463
- https://bugzilla.redhat.com/show_bug.cgi?id=1930417
- https://github.com/advisories/GHSA-mpvw-25mg-59vx
- https://github.com/pypa/advisory-database/tree/main/vulns/reportlab/PYSEC-2021-146.yaml
- https://hg.reportlab.com/hg-public/reportlab
- https://hg.reportlab.com/hg-public/reportlab/file/f094d273903a/CHANGES.md#l71
- https://hg.reportlab.com/hg-public/reportlab/rev/7f2231703dc7
- https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44
- https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145
- https://www.reportlab.com/docs/reportlab-userguide.pdf
Affected packages
PyPI / reportlab
Package
- Name
- reportlab
- View open source insights on deps.dev
- Purl
- pkg:pypi/reportlab
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.5.55
Affected versions
2.*
2.0
2.3
2.4
2.5
2.6
2.7
3.*
3.0
3.1.8
3.1.44
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.5.4
3.5.5
3.5.6
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.16
3.5.17
3.5.18
3.5.19
3.5.20
3.5.21
3.5.23
3.5.26
3.5.28
3.5.31
3.5.32
3.5.34
3.5.42
3.5.44
3.5.45
3.5.46
3.5.47
3.5.48
3.5.49
3.5.50
3.5.51
3.5.52
3.5.53
3.5.54