cbcvebase.
CVE-2019-19450
published 2023-09-20

CVE-2019-19450: paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.45%
90.2th percentile
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpython-reportlab< python-reportlab 3.5.31-1 (bookworm)python-reportlab 3.5.31-1 (bookworm)
paloaltopan-os
reportlabreportlab< 3.5.313.5.31
reportlabreportlab>= 0 < 3.5.313.5.31

Detection & IOCsextracted from sources · hover to see the quote

command<unichar code="
pathparaparser.py
  • Detect crafted XML/HTML input containing a 'unichar' element with a 'code' attribute, which is the attack vector for triggering arbitrary Python code evaluation in ReportLab's paraparser.py
  • Monitor PDF generation workflows that accept untrusted HTML/XML input processed by python-reportlab; a malicious 'unichar' tag in input can lead to remote code execution during PDF rendering
  • Flag applications using python-reportlab versions prior to 3.5.31 that parse untrusted input files, as they are vulnerable to code injection via the unichar element attribute
  • ·The vulnerability is fixed in ReportLab 3.5.31; systems running earlier versions of python-reportlab are exploitable. Red Hat Enterprise Linux 6 packages are out of support scope and will not receive a fix.
  • ·No mitigation is available from Red Hat for affected products; the only remediation is upgrading to a fixed version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.