CVE-2019-19450
published 2023-09-20CVE-2019-19450: paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.45%
90.2th percentile
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-reportlab | < python-reportlab 3.5.31-1 (bookworm) | python-reportlab 3.5.31-1 (bookworm) |
| paloalto | pan-os | — | — |
| reportlab | reportlab | < 3.5.31 | 3.5.31 |
| reportlab | reportlab | >= 0 < 3.5.31 | 3.5.31 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted XML/HTML input containing a 'unichar' element with a 'code' attribute, which is the attack vector for triggering arbitrary Python code evaluation in ReportLab's paraparser.py ↗
- →Monitor PDF generation workflows that accept untrusted HTML/XML input processed by python-reportlab; a malicious 'unichar' tag in input can lead to remote code execution during PDF rendering ↗
- →Flag applications using python-reportlab versions prior to 3.5.31 that parse untrusted input files, as they are vulnerable to code injection via the unichar element attribute ↗
- ·The vulnerability is fixed in ReportLab 3.5.31; systems running earlier versions of python-reportlab are exploitable. Red Hat Enterprise Linux 6 packages are out of support scope and will not receive a fix. ↗
- ·No mitigation is available from Red Hat for affected products; the only remediation is upgrading to a fixed version. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ReportLab vulnerable to remote code execution via paraparser
osv·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] ReportLab vulnerable to remote code execution via paraparser
ReportLab vulnerable to remote code execution via paraparser
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
GHSA
ReportLab vulnerable to remote code execution via paraparser
ghsa·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] CWE-91 ReportLab vulnerable to remote code execution via paraparser
ReportLab vulnerable to remote code execution via paraparser
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
OSV
CVE-2019-19450: paraparser in ReportLab before 3
osv·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] CVE-2019-19450: paraparser in ReportLab before 3
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
Palo Alto
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-04-10·CVSS 9.8
CVE-2015-5739 [CRITICAL] PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2015-5739 This CVE is fixed in PAN-OS 11.0.4, and all later PAN-OS versions. CVE-2016-10228 This CVE is fixed in PAN-OS 11.1.3, and all later PAN-OS versions. CVE-2017-8923 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2017-9120 This CVE is fixed in PAN-OS 10.2.8, 11.0.3, and all later PAN-OS versions. CVE-2018-25009 This CVE is fixed in PAN-OS 10.2.8, 11.0.4, 11.1.3, and all later PAN-OS versions. CVE-2
Red Hat
python-reportlab: code injection in paraparser.py allows code execution
vendor_redhat·2023-09-20·CVSS 9.8
CVE-2019-19450 [CRITICAL] CWE-91 python-reportlab: code injection in paraparser.py allows code execution
python-reportlab: code injection in paraparser.py allows code execution
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
A code injection vulnerability was found in python-reportlab that may allow an attacker to execute code while parsing a unichar element attribute. An application that uses python-reportlab to parse untrusted input files may be vulnerable and could allow remote code execution.
Statement: To exploit the issue, a malicious user has to use a crafted malicious html 'unichar' tag input and then use the reportlab's feature to generate a pdf of the doc
Debian
CVE-2019-19450: python-reportlab - paraparser in ReportLab before 3.5.31 allows remote code execution because start...
vendor_debian·2019·CVSS 9.8
CVE-2019-19450 [CRITICAL] CVE-2019-19450: python-reportlab - paraparser in ReportLab before 3.5.31 allows remote code execution because start...
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
Scope: local
bookworm: resolved (fixed in 3.5.31-1)
bullseye: resolved (fixed in 3.5.31-1)
forky: resolved (fixed in 3.5.31-1)
sid: resolved (fixed in 3.5.31-1)
trixie: resolved (fixed in 3.5.31-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.mdhttps://lists.debian.org/debian-lts-announce/2023/09/msg00037.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/https://pastebin.com/5MicRrr4https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.mdhttps://lists.debian.org/debian-lts-announce/2023/09/msg00037.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/https://lists.fedoraproject.org/archives/list/[email protected]/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/https://lists.fedoraproject.org/archives/list/[email protected]/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/https://pastebin.com/5MicRrr4
2023-09-20
Published