CVE-2020-28463 Information
Description
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk use trustedSchemes & trustedHosts (see in Reportlab’s documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url but we are able to do SSRF
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Reference
https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145
https://www.reportlab.com/docs/reportlab-userguide.pdf
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/
All
versions
of
package
reportlab
are
vulnerable
to
Server-side
Request
Forgery
(SSRF)
via
img
tags.
In
order
to
reduce
risk
use
trustedSchemes
&
trustedHosts
(see
in
Reportlab’s
documentation)
Steps
to
reproduce
by
Karan
Bamal:
1.
Download
and
install
the
latest
package
of
reportlab
2.
Go
to
demos
->
odyssey
->
dodyssey
3.
In
the
text
file
odyssey.txt
that
needs
to
be
converted
to
pdf
inject
4.
Create
a
nc
listener
nc
-lp
5000
5.
Run
python3
dodyssey.py
6.
You
will
get
a
hit
on
your
nc
showing
we
have
successfully
proceded
to
send
a
server
side
request
7.
dodyssey.py
will
show
error
since
there
is
no
img
file
on
the
url
but
we
are
able
to
do
SSRF
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
6.5
Share on: