ID CVE-2019-17626
Summary ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
References
Vulnerable Configurations
  • cpe:2.3:a:reportlab:reportlab:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:2.3:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:2.4:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:2.5:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:2.6:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:2.7:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.1.8:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.1.44:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.1.44:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.11:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.11:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.12:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.12:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.13:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.13:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.16:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.16:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.17:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.17:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.18:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.18:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.19:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.19:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.20:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.20:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.21:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.21:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.23:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.23:*:*:*:*:*:*:*
  • cpe:2.3:a:reportlab:reportlab:3.5.26:*:*:*:*:*:*:*
    cpe:2.3:a:reportlab:reportlab:3.5.26:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 01-08-2024 - 13:41)
Impact:
Exploitability:
CWE CWE-91
CAPEC
  • XPath Injection
    An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.
  • XML Injection
    An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1769661
    title CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment python-reportlab is earlier than 0:2.5-9.el7_7.1
            oval oval:com.redhat.rhsa:tst:20200195001
          • comment python-reportlab is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20200195002
        • AND
          • comment python-reportlab-docs is earlier than 0:2.5-9.el7_7.1
            oval oval:com.redhat.rhsa:tst:20200195003
          • comment python-reportlab-docs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20200195004
    rhsa
    id RHSA-2020:0195
    released 2020-01-21
    severity Important
    title RHSA-2020:0195: python-reportlab security update (Important)
  • bugzilla
    id 1769661
    title CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment python-reportlab is earlier than 0:2.3-3.el6_10.1
            oval oval:com.redhat.rhsa:tst:20200197001
          • comment python-reportlab is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20200195002
        • AND
          • comment python-reportlab-docs is earlier than 0:2.3-3.el6_10.1
            oval oval:com.redhat.rhsa:tst:20200197003
          • comment python-reportlab-docs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20200195004
    rhsa
    id RHSA-2020:0197
    released 2020-01-21
    severity Important
    title RHSA-2020:0197: python-reportlab security update (Important)
  • bugzilla
    id 1769661
    title CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment python-reportlab-debugsource is earlier than 0:3.4.0-6.el8_1.2
            oval oval:com.redhat.rhsa:tst:20200201001
          • comment python-reportlab-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20200201002
        • AND
          • comment python3-reportlab is earlier than 0:3.4.0-6.el8_1.2
            oval oval:com.redhat.rhsa:tst:20200201003
          • comment python3-reportlab is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20200201004
    rhsa
    id RHSA-2020:0201
    released 2020-01-24
    severity Important
    title RHSA-2020:0201: python-reportlab security update (Important)
  • rhsa
    id RHSA-2020:0230
rpms
  • python-reportlab-0:2.5-9.el7_7.1
  • python-reportlab-debuginfo-0:2.5-9.el7_7.1
  • python-reportlab-docs-0:2.5-9.el7_7.1
  • python-reportlab-0:2.3-3.el6_10.1
  • python-reportlab-debuginfo-0:2.3-3.el6_10.1
  • python-reportlab-docs-0:2.3-3.el6_10.1
  • python-reportlab-debugsource-0:3.4.0-6.el8_1.2
  • python3-reportlab-0:3.4.0-6.el8_1.2
  • python3-reportlab-debuginfo-0:3.4.0-6.el8_1.2
  • python-reportlab-debugsource-0:3.4.0-6.el8_0.2
  • python3-reportlab-0:3.4.0-6.el8_0.2
  • python3-reportlab-debuginfo-0:3.4.0-6.el8_0.2
refmap via4
debian DSA-4663
fedora
  • FEDORA-2020-d2fb999600
  • FEDORA-2020-f3e0ba2f79
gentoo GLSA-202007-35
misc
mlist [debian-lts-announce] 20200220 [SECURITY] [DLA 2112-1] python-reportlab security update
suse openSUSE-SU-2020:0160
ubuntu USN-4273-1
Last major update 01-08-2024 - 13:41
Published 16-10-2019 - 12:15
Last modified 01-08-2024 - 13:41
Back to Top