Lucene search

[email protected]CVE-2020-28463

HistoryFeb 18, 2021 - 4:15 p.m.

CVE-2020-28463

2021-02-1816:15:12

CWE-918

[email protected]

web.nvd.nist.gov

140

cve-2020-28463

reportlab

ssrf

server-side request forgery

security

vulnerability

mitigation

nvd

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.6%

JSON

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab’s documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src=“http://127.0.0.1:5000” /> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

Affected configurations

NVD

Node

reportlabreportlab

Node

fedoraprojectfedoraMatch34

fedoraprojectfedoraMatch35

CPENameOperatorVersion
reportlab:reportlabreportlabeq*

CPE	Name	Operator	Version
reportlab:reportlab	reportlab	eq	*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "reportlab",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]