pysec-2021-146
Vulnerability from pysec
Published
2021-02-18 16:15
Modified
2021-08-27 03:22
Details

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF




{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "reportlab",
        "purl": "pkg:pypi/reportlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0",
        "2.3",
        "2.4",
        "2.5",
        "2.6",
        "2.7",
        "3.0",
        "3.1.44",
        "3.1.8",
        "3.2.0",
        "3.3.0",
        "3.4.0",
        "3.5.0",
        "3.5.1",
        "3.5.10",
        "3.5.11",
        "3.5.12",
        "3.5.13",
        "3.5.16",
        "3.5.17",
        "3.5.18",
        "3.5.19",
        "3.5.2",
        "3.5.20",
        "3.5.21",
        "3.5.23",
        "3.5.26",
        "3.5.28",
        "3.5.31",
        "3.5.32",
        "3.5.34",
        "3.5.4",
        "3.5.42",
        "3.5.44",
        "3.5.45",
        "3.5.46",
        "3.5.47",
        "3.5.48",
        "3.5.49",
        "3.5.5",
        "3.5.50",
        "3.5.51",
        "3.5.52",
        "3.5.53",
        "3.5.54",
        "3.5.6",
        "3.5.8",
        "3.5.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28463",
    "SNYK-PYTHON-REPORTLAB-1022145",
    "GHSA-mpvw-25mg-59vx"
  ],
  "details": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes \u0026 trustedHosts (see in Reportlab\u0027s documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -\u003e odyssey -\u003e dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject \u003cimg src=\"http://127.0.0.1:5000\" valign=\"top\"/\u003e 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF",
  "id": "PYSEC-2021-146",
  "modified": "2021-08-27T03:22:19.297131Z",
  "published": "2021-02-18T16:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"
    },
    {
      "type": "WEB",
      "url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mpvw-25mg-59vx"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.