Server-side Request Forgery (SSRF) Affecting reportlab package, versions [0,3.5.55)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.16% (52nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-REPORTLAB-1022145
- published 3 Jan 2021
- disclosed 27 Oct 2020
- credit Karan Bamal
Introduced: 27 Oct 2020
CVE-2020-28463 Open this link in a new tabHow to fix?
Upgrade reportlab
to version 3.5.55 or higher.
Overview
reportlab is a Python library for generating PDFs and graphics.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via img
tags. In order to reduce risk, use trustedSchemes
& trustedHosts
(see in Reportlab's documentation), introduced in version 3.5.55.
Steps to reproduce by Karan Bamal:
- Download and install the latest package of reportlab
- Go to demos -> odyssey -> dodyssey
- In the text file odyssey.txt that needs to be converted to pdf inject
<img src="http://127.0.0.1:5000" valign="top"/>
- Create a nc listener
nc -lp 5000
- Run
python3 dodyssey.py
- You will get a hit on your nc showing we have successfully proceded to send a server side request
dodyssey.py
will show error since there is no img file on the url, but we are able to do SSRF