pysec - pysec-2021-146

pysec-2021-146

Vulnerability from pysec

Published

2021-02-18 16:15

Modified

2021-08-27 03:22

Details

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

Impacted products

Name	purl
reportlab	pkg:pypi/reportlab

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "reportlab",
        "purl": "pkg:pypi/reportlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0",
        "2.3",
        "2.4",
        "2.5",
        "2.6",
        "2.7",
        "3.0",
        "3.1.44",
        "3.1.8",
        "3.2.0",
        "3.3.0",
        "3.4.0",
        "3.5.0",
        "3.5.1",
        "3.5.10",
        "3.5.11",
        "3.5.12",
        "3.5.13",
        "3.5.16",
        "3.5.17",
        "3.5.18",
        "3.5.19",
        "3.5.2",
        "3.5.20",
        "3.5.21",
        "3.5.23",
        "3.5.26",
        "3.5.28",
        "3.5.31",
        "3.5.32",
        "3.5.34",
        "3.5.4",
        "3.5.42",
        "3.5.44",
        "3.5.45",
        "3.5.46",
        "3.5.47",
        "3.5.48",
        "3.5.49",
        "3.5.5",
        "3.5.50",
        "3.5.51",
        "3.5.52",
        "3.5.53",
        "3.5.54",
        "3.5.6",
        "3.5.8",
        "3.5.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28463",
    "SNYK-PYTHON-REPORTLAB-1022145",
    "GHSA-mpvw-25mg-59vx"
  ],
  "details": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes \u0026 trustedHosts (see in Reportlab\u0027s documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -\u003e odyssey -\u003e dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject \u003cimg src=\"http://127.0.0.1:5000\" valign=\"top\"/\u003e 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF",
  "id": "PYSEC-2021-146",
  "modified": "2021-08-27T03:22:19.297131Z",
  "published": "2021-02-18T16:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"
    },
    {
      "type": "WEB",
      "url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mpvw-25mg-59vx"
    }
  ]
}

CVE-2020-28463 (GCVE-0-2020-28463)

Vulnerability from cvelistv5

Published

2021-02-18 16:00

Modified

2024-09-17 01:27

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P

CWE

Server-side Request Forgery (SSRF)

Summary

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

References

URL

Tags

	https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145
	https://www.reportlab.com/docs/reportlab-userguide.pdf
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html	mailing-list

Impacted products

	Vendor	Product	Version
	n/a	reportlab	Version: 0 < unspecified

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:40:59.361Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"
          },
          {
            "name": "FEDORA-2021-13cdc0ab0e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/"
          },
          {
            "name": "FEDORA-2021-04bfae8300",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/"
          },
          {
            "name": "[debian-lts-announce] 20230929 [SECURITY] [DLA 3590-1] python-reportlab security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "reportlab",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Karan Bamal"
        }
      ],
      "datePublic": "2021-02-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes \u0026 trustedHosts (see in Reportlab\u0027s documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -\u003e odyssey -\u003e dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject \u003cimg src=\"http://127.0.0.1:5000\" valign=\"top\"/\u003e 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 6.2,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Server-side Request Forgery (SSRF)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-29T21:06:26.944415",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"
        },
        {
          "url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"
        },
        {
          "name": "FEDORA-2021-13cdc0ab0e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/"
        },
        {
          "name": "FEDORA-2021-04bfae8300",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/"
        },
        {
          "name": "[debian-lts-announce] 20230929 [SECURITY] [DLA 3590-1] python-reportlab security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"
        }
      ],
      "title": "Server-side Request Forgery (SSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-28463",
    "datePublished": "2021-02-18T16:00:21.220773Z",
    "dateReserved": "2020-11-12T00:00:00",
    "dateUpdated": "2024-09-17T01:27:03.761Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

ghsa-mpvw-25mg-59vx

Vulnerability from github

Published

2021-03-29 16:32

Modified

2024-10-26 18:34

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Server-side Request Forgery (SSRF) via img tags in reportlab

Details

All versions of package reportlab at time of writing are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation)

Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "reportlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-19T22:04:29Z",
    "nvd_published_at": "2021-02-18T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of package reportlab at time of writing are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes \u0026 trustedHosts (see in Reportlab\u0027s documentation) \n\nSteps to reproduce by Karan Bamal: \n1. Download and install the latest package of reportlab \n2. Go to demos -\u003e odyssey -\u003e dodyssey \n3. In the text file odyssey.txt that needs to be converted to pdf inject `\u003cimg src=\"http://127.0.0.1:5000\" valign=\"top\"/\u003e`\n4. Create a nc listener `nc -lp 5000`\n5. Run python3 dodyssey.py \n6. You will get a hit on your nc showing we have successfully proceded to send a server side request \n7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF",
  "id": "GHSA-mpvw-25mg-59vx",
  "modified": "2024-10-26T18:34:55Z",
  "published": "2021-03-29T16:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28463"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930417"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mpvw-25mg-59vx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/reportlab/PYSEC-2021-146.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://hg.reportlab.com/hg-public/reportlab"
    },
    {
      "type": "WEB",
      "url": "https://hg.reportlab.com/hg-public/reportlab/file/f094d273903a/CHANGES.md#l71"
    },
    {
      "type": "WEB",
      "url": "https://hg.reportlab.com/hg-public/reportlab/rev/7f2231703dc7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"
    },
    {
      "type": "WEB",
      "url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Server-side Request Forgery (SSRF) via img tags in reportlab"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2021-146

Vulnerability from pysec

CVE-2020-28463 (GCVE-0-2020-28463)

Vulnerability from cvelistv5

ghsa-mpvw-25mg-59vx

Vulnerability from github

Tags

Sightings

Nomenclature