PYSEC-2021-146

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/reportlab/PYSEC-2021-146.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2021-146
Aliases
Published
2021-02-18T16:15:00Z
Modified
2023-11-01T04:52:55.862118Z
Summary
[none]
Details

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

References

Affected packages

PyPI / reportlab

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.55

Affected versions

2.*

2.0
2.3
2.4
2.5
2.6
2.7

3.*

3.0
3.1.8
3.1.44
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.5.4
3.5.5
3.5.6
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.16
3.5.17
3.5.18
3.5.19
3.5.20
3.5.21
3.5.23
3.5.26
3.5.28
3.5.31
3.5.32
3.5.34
3.5.42
3.5.44
3.5.45
3.5.46
3.5.47
3.5.48
3.5.49
3.5.50
3.5.51
3.5.52
3.5.53
3.5.54