Server-side Request Forgery (SSRF)
Description
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
reportlabPyPI | < 3.5.55 | 3.5.55 |
Affected products
5- reportlab/reportlabdescription
- ghsa-coords4 versionspkg:pypi/reportlabpkg:rpm/opensuse/python-reportlab&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-reportlab&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/python-reportlab&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 3.5.55+ 3 more
- (no CPE)range: < 3.5.55
- (no CPE)range: < 3.4.0-lp152.5.3.1
- (no CPE)range: < 3.4.0-3.6.1
- (no CPE)range: < 2.7-3.8.1
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-mpvw-25mg-59vxghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2020-28463ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/reportlab/PYSEC-2021-146.yamlghsaWEB
- hg.reportlab.com/hg-public/reportlabghsaPACKAGE
- hg.reportlab.com/hg-public/reportlab/file/f094d273903a/CHANGES.mdghsaWEB
- hg.reportlab.com/hg-public/reportlab/rev/7f2231703dc7ghsaWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00037.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44ghsaWEB
- snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145ghsaWEB
- www.reportlab.com/docs/reportlab-userguide.pdfghsaWEB
News mentions
0No linked articles in our index yet.