{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-28463", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-09-17T01:27:03.761Z", "dateReserved": "2020-11-12T00:00:00", "datePublished": "2021-02-18T16:00:21.220773Z"}, "containers": {"cna": {"title": "Server-side Request Forgery (SSRF)", "datePublic": "2021-02-18T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-29T21:06:26.944415"}, "descriptions": [{"lang": "en", "value": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src=\"http://127.0.0.1:5000\" valign=\"top\"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF"}], "affected": [{"vendor": "n/a", "product": "reportlab", "versions": [{"version": "0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}]}], "references": [{"url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"}, {"url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"}, {"name": "FEDORA-2021-13cdc0ab0e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/"}, {"name": "FEDORA-2021-04bfae8300", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/"}, {"name": "[debian-lts-announce] 20230929 [SECURITY] [DLA 3590-1] python-reportlab security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"}], "credits": [{"lang": "en", "value": "Karan Bamal"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 6.5, "temporalScore": 6.2, "baseSeverity": "MEDIUM", "temporalSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Server-side Request Forgery (SSRF)"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:40:59.361Z"}, "title": "CVE Program Container", "references": [{"url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145", "tags": ["x_transferred"]}, {"url": "https://www.reportlab.com/docs/reportlab-userguide.pdf", "tags": ["x_transferred"]}, {"name": "FEDORA-2021-13cdc0ab0e", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/"}, {"name": "FEDORA-2021-04bfae8300", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/"}, {"name": "[debian-lts-announce] 20230929 [SECURITY] [DLA 3590-1] python-reportlab security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:reportlab:reportlab:*:*:*:*:*:*:*:*", "matchCriteriaId": "96329C58-2A30-4D2E-A421-B7FF3BC6CF55", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src=\"http://127.0.0.1:5000\" valign=\"top\"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF"}, {"lang": "es", "value": "Todas las versiones del paquete reportlab son vulnerables a un ataque de tipo Server-side Request Forgery (SSRF) por medio de etiquetas img.&#xa0;Para reducir el riesgo, utilice TrustSchemes y TrustHosts (consulte la documentaci\u00f3n de Reportlab). Pasos para reproducir por Karan Bamal: 1. Descargue e instale el \u00faltimo paquete de reportlab 2. Vaya a demos -) odyssey -) dodyssey 3. En el archivo de texto odyssey.txt que necesita ser convertido a pdf inyecte (img src=\"http://127.0.0.1:5000\" valign= top\" /) 4. Cree un oyente nc nc -lp 5000 5. Ejecute python3 dodyssey.py 6. Recibir\u00e1 un resultado en su nc que muestra que hemos procedido con \u00e9xito a enviar una petici\u00f3n del lado del servidor 7. dodyssey.py mostrar\u00e1 un error ya que no contiene un archivo img en la URL, pero somos capaces de hacer un ataque de tipo SSRF"}], "id": "CVE-2020-28463", "lastModified": "2023-11-07T03:21:22.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-02-18T16:15:12.707", "references": [{"source": "report@snyk.io", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Release Notes", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"}, {"source": "report@snyk.io", "tags": ["Product", "Vendor Advisory"], "url": "https://www.reportlab.com/docs/reportlab-userguide.pdf"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-reportlab: Server-side request forgery via img tags", "id": "1930416", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930416"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src=\"http://127.0.0.1:5000\" valign=\"top\"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF", "A flaw was found in python-reportlab. A Server-side Request Forgery (SSRF) vulnerability is possible via img tags."], "name": "CVE-2020-28463", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-reportlab", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-reportlab", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python-reportlab", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2021-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-28463\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28463\nhttps://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"], "statement": "This flaw is out of support scope for the following products:\n* Red Hat Enterprise Linux 6\n* Red Hat Enterprise Linux 7\nTo learn more about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/", "threat_severity": "Moderate"}