CVE Vulnerabilities

CVE-2020-28463

Server-Side Request Forgery (SSRF)

Published: Feb 18, 2021 | Modified: Nov 07, 2023
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
5.4 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Ubuntu
LOW

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlabs documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

Name Vendor Start Version End Version
Reportlab Reportlab * *
Python-reportlab Ubuntu bionic *
Python-reportlab Ubuntu groovy *
Python-reportlab Ubuntu hirsute *
Python-reportlab Ubuntu impish *
Python-reportlab Ubuntu kinetic *
Python-reportlab Ubuntu trusty *
Python-reportlab Ubuntu upstream *
Python-reportlab Ubuntu xenial *

References