GHSA-pj98-2xf6-cff5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pj98-2xf6-cff5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-pj98-2xf6-cff5/GHSA-pj98-2xf6-cff5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-pj98-2xf6-cff5
- Aliases
- Published
- 2023-09-20T15:30:51Z
- Modified
- 2024-04-28T06:45:52.194702Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- ReportLab vulnerable to remote code execution via paraparser
- Details
-
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
- Database specific
{ "nvd_published_at": "2023-09-20T14:15:12Z", "cwe_ids": [ "CWE-91" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-09-21T16:57:08Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-19450
- https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md
- https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md#release-353115102019
- https://hg.reportlab.com/hg-public/reportlab
- https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ
- https://pastebin.com/5MicRrr4
Affected packages
PyPI / reportlab
Package
- Name
- reportlab
- View open source insights on deps.dev
- Purl
- pkg:pypi/reportlab