CVE-2020-28463
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF
EPSS 1.16% · 79.0th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | python-reportlab | 0, 3.5.23-1, 3.5.28-1 |
| Ubuntu:18.04:LTS | python-reportlab | 0, 3.4.0-3ubuntu0.1, 3.4.0-3build1 |
| Ubuntu:16.04:LTS | python-reportlab | 3.3.0-1ubuntu0.1, 0, 3.2.0-1build2 |
Exploit Intelligence
- https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145 (nist-nvd)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
…and 160 more exploits
Timeline
- Feb 18, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 6, 2021 PoC Published
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Apr 7, 2022 PoC Published
- Jul 3, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-28463 third-party-advisory
- https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-28463 third-party-advisory