CVE-2019-17626XML Injection (aka Blind XPath Injection) in Reportlab

CWE-91XML Injection (aka Blind XPath Injection)CWE-95Eval Injection16 documents8 sources
Severity
9.8CRITICALNVD
EPSS
16.8%
top 5.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
ReportlabDebian Python-reportlabDebian Linux+1 more
Timeline
PublishedOct 16
Latest updateApr 10

Description

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

debiandebian/python-reportlab< python-reportlab 3.5.31-1 (bookworm)+1
NVDreportlab/reportlab< 3.5.31+1
PyPIreportlab/reportlab< 3.5.31+1
Palo Altopaloalto/pan-os

Also affects: Debian Linux 10.0

🔴Vulnerability Details

6
OSV
ReportLab vulnerable to remote code execution via paraparser2023-09-20
GHSA
ReportLab vulnerable to remote code execution via paraparser2023-09-20
OSV
CVE-2019-19450: paraparser in ReportLab before 32023-09-20
OSV
XML Injection in ReportLab2022-05-24
GHSA
XML Injection in ReportLab2022-05-24

📋Vendor Advisories

6
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS2024-04-10
Red Hat
python-reportlab: code injection in paraparser.py allows code execution2023-09-20
Ubuntu
ReportLab vulnerability2020-02-06
Red Hat
python-reportlab: code injection in colors.py allows attacker to execute code2019-10-16
Debian
CVE-2019-19450: python-reportlab - paraparser in ReportLab before 3.5.31 allows remote code execution because start...2019

💬Community

2
Bugzilla
CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code [fedora-all]2019-11-07
Bugzilla
CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code2019-11-07