Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
PYSEC-2021-146
Vulnerability from pysec - Published: 2021-02-18 16:15 - Updated: 2021-08-27 03:22
VLAI
Details
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF
Impacted products
| Name | purl | reportlab | pkg:pypi/reportlab |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "reportlab",
"purl": "pkg:pypi/reportlab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.55"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0",
"2.3",
"2.4",
"2.5",
"2.6",
"2.7",
"3.0",
"3.1.44",
"3.1.8",
"3.2.0",
"3.3.0",
"3.4.0",
"3.5.0",
"3.5.1",
"3.5.10",
"3.5.11",
"3.5.12",
"3.5.13",
"3.5.16",
"3.5.17",
"3.5.18",
"3.5.19",
"3.5.2",
"3.5.20",
"3.5.21",
"3.5.23",
"3.5.26",
"3.5.28",
"3.5.31",
"3.5.32",
"3.5.34",
"3.5.4",
"3.5.42",
"3.5.44",
"3.5.45",
"3.5.46",
"3.5.47",
"3.5.48",
"3.5.49",
"3.5.5",
"3.5.50",
"3.5.51",
"3.5.52",
"3.5.53",
"3.5.54",
"3.5.6",
"3.5.8",
"3.5.9"
]
}
],
"aliases": [
"CVE-2020-28463",
"SNYK-PYTHON-REPORTLAB-1022145",
"GHSA-mpvw-25mg-59vx"
],
"details": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes \u0026 trustedHosts (see in Reportlab\u0027s documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -\u003e odyssey -\u003e dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject \u003cimg src=\"http://127.0.0.1:5000\" valign=\"top\"/\u003e 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF",
"id": "PYSEC-2021-146",
"modified": "2021-08-27T03:22:19.297131Z",
"published": "2021-02-18T16:15:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"
},
{
"type": "WEB",
"url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mpvw-25mg-59vx"
}
]
}