CVE-2019-17626
published 2019-10-16CVE-2019-17626: ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.23%
95.1th percentile
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-reportlab | < python-reportlab 3.5.31-1 (bookworm) | python-reportlab 3.5.31-1 (bookworm) |
| debian | python-reportlab | < python-reportlab 3.5.34-1 (bookworm) | python-reportlab 3.5.34-1 (bookworm) |
| paloalto | pan-os | — | — |
| reportlab | reportlab | < 3.5.31 | 3.5.31 |
| reportlab | reportlab | <= 3.5.26 | — |
| reportlab | reportlab | >= 0 < 3.5.31 | 3.5.31 |
| reportlab | reportlab | >= 0 < 3.5.28 | 3.5.28 |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect XML/HTML input processed by ReportLab for '<span color="' tags containing non-color-value Python expressions, which are passed to eval() via toColor() in colors.py. ↗
- →Monitor applications using python-reportlab to parse untrusted input files; any call path reaching toColor() with user-controlled input is exploitable for RCE. ↗
- ·The vulnerability exists in ReportLab versions through 3.5.26; versions fixed at 3.5.34-1 (Debian) and 3.5.34-2 (Fedora). Ensure the installed version is at or above the fixed release. ↗
- ·Red Hat Quay will not fix this CVE because it only affects a non-supported feature disabled behind a feature flag; detections targeting Quay deployments may produce false positives. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-04-10·CVSS 9.8
CVE-2015-5739 [CRITICAL] PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2015-5739 This CVE is fixed in PAN-OS 11.0.4, and all later PAN-OS versions. CVE-2016-10228 This CVE is fixed in PAN-OS 11.1.3, and all later PAN-OS versions. CVE-2017-8923 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2017-9120 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2018-25009 This CVE is fixed in PAN-OS 10.2.8, 11.0.4, 11.1.3, and all later PAN-OS versions. CVE-2
Red Hat
python-reportlab: code injection in paraparser.py allows code execution
vendor_redhat·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] CWE-91 python-reportlab: code injection in paraparser.py allows code execution
python-reportlab: code injection in paraparser.py allows code execution
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
A code injection vulnerability was found in python-reportlab that may allow an attacker to execute code while parsing a unichar element attribute. An application that uses python-reportlab to parse untrusted input files may be vulnerable and could allow remote code execution.
Statement: To exploit the issue, a malicious user has to use a crafted malicious html 'unichar' tag input and then use the reportlab's feature to generate a pdf of the doc
Ubuntu
ReportLab vulnerability
vendor_ubuntu·2020-02-06
CVE-2019-17626 ReportLab vulnerability
Title: ReportLab vulnerability
Summary: ReportLab could be made to run programs as your login if it opened a
specially crafted file.
It was discovered that ReportLab incorrectly handled certain XML documents.
If a user or automated system were tricked into processing a specially
crafted document, a remote attacker could possibly use this issue to
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-reportlab: code injection in colors.py allows attacker to execute code
vendor_redhat·2019-10-16·CVSS 9.8
CVE-2019-17626 [CRITICAL] CWE-95 python-reportlab: code injection in colors.py allows attacker to execute code
python-reportlab: code injection in colors.py allows attacker to execute code
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
A code injection vulnerability in python-reportlab allows an attacker to execute code while parsing a color attribute. An application that uses python-reportlab to parse untrusted input files may be vulnerable to this flaw and allow remote code execution.
Statement: This vulnerability will not be fixed in Red Hat Quay because it only affects a non-supported feature which is disabled behind a feature flag.
Mitigation: No known mitigation available.
Package: quay (Red Hat Quay 3) - Will not fix
Debian
CVE-2019-19450: python-reportlab - paraparser in ReportLab before 3.5.31 allows remote code execution because start...
vendor_debian·2019·CVSS 9.8
CVE-2019-19450 [CRITICAL] CVE-2019-19450: python-reportlab - paraparser in ReportLab before 3.5.31 allows remote code execution because start...
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
Scope: local
bookworm: resolved (fixed in 3.5.31-1)
bullseye: resolved (fixed in 3.5.31-1)
forky: resolved (fixed in 3.5.31-1)
sid: resolved (fixed in 3.5.31-1)
trixie: resolved (fixed in 3.5.31-1)
Debian
CVE-2019-17626: python-reportlab - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(ar...
vendor_debian·2019·CVSS 9.8
CVE-2019-17626 [CRITICAL] CVE-2019-17626: python-reportlab - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(ar...
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
Scope: local
bookworm: resolved (fixed in 3.5.34-1)
bullseye: resolved (fixed in 3.5.34-1)
forky: resolved (fixed in 3.5.34-1)
sid: resolved (fixed in 3.5.34-1)
trixie: resolved (fixed in 3.5.34-1)
OSV
ReportLab vulnerable to remote code execution via paraparser
osv·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] ReportLab vulnerable to remote code execution via paraparser
ReportLab vulnerable to remote code execution via paraparser
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
GHSA
ReportLab vulnerable to remote code execution via paraparser
ghsa·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] CWE-91 ReportLab vulnerable to remote code execution via paraparser
ReportLab vulnerable to remote code execution via paraparser
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
OSV
CVE-2019-19450: paraparser in ReportLab before 3
osv·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] CVE-2019-19450: paraparser in ReportLab before 3
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
OSV
XML Injection in ReportLab
osv·2022-05-24
CVE-2019-17626 [CRITICAL] XML Injection in ReportLab
XML Injection in ReportLab
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
GHSA
XML Injection in ReportLab
ghsa·2022-05-24
CVE-2019-17626 [CRITICAL] CWE-91 XML Injection in ReportLab
XML Injection in ReportLab
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
OSV
CVE-2019-17626: ReportLab through 3
osv·2019-10-16·CVSS 9.8
CVE-2019-17626 [CRITICAL] CVE-2019-17626: ReportLab through 3
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code [fedora-all]
bugzilla·2019-11-07·CVSS 9.8
CVE-2019-17626 [CRITICAL] CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code [fedora-all]
CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
bugzilla·2019-11-07·CVSS 9.8
CVE-2019-17626 [CRITICAL] CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
CVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
A vulnerability was found in ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
Reference:
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md
Discussion:
Created python-reportlab tracking bugs for this issue:
Affects: fedora-all [bug 1769662]
---
Applications that use python-reportlab to generate PDFs and accept untrusted input that may be evaluated as a color for an element of the generated PDF, could be vulnerable to this flaw. It allows a possibly
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.htmlhttps://access.redhat.com/errata/RHSA-2020:0195https://access.redhat.com/errata/RHSA-2020:0197https://access.redhat.com/errata/RHSA-2020:0201https://access.redhat.com/errata/RHSA-2020:0230https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-codehttps://bitbucket.org/rptlab/reportlab/src/default/CHANGES.mdhttps://lists.debian.org/debian-lts-announce/2020/02/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL/https://security.gentoo.org/glsa/202007-35https://security.netapp.com/advisory/ntap-20240719-0006/https://usn.ubuntu.com/4273-1/https://www.debian.org/security/2020/dsa-4663http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.htmlhttps://access.redhat.com/errata/RHSA-2020:0195https://access.redhat.com/errata/RHSA-2020:0197https://access.redhat.com/errata/RHSA-2020:0201https://access.redhat.com/errata/RHSA-2020:0230https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-codehttps://bitbucket.org/rptlab/reportlab/src/default/CHANGES.mdhttps://lists.debian.org/debian-lts-announce/2020/02/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL/https://security.gentoo.org/glsa/202007-35https://security.netapp.com/advisory/ntap-20240719-0006/https://usn.ubuntu.com/4273-1/https://www.debian.org/security/2020/dsa-4663
2019-10-16
Published