Vulnerabilities > CVE-2019-17626 - XML Injection (aka Blind XPath Injection) vulnerability in Reportlab

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
reportlab
CWE-91
critical
nessus

Summary

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • XML Injection
    An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
  • XPath Injection
    An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4273-1.NASL
    descriptionIt was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133551
    published2020-02-07
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133551
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : python-reportlab vulnerability (USN-4273-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4273-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133551);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/12");
    
      script_cve_id("CVE-2019-17626");
      script_xref(name:"USN", value:"4273-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : python-reportlab vulnerability (USN-4273-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that ReportLab incorrectly handled certain XML
    documents. If a user or automated system were tricked into processing
    a specially crafted document, a remote attacker could possibly use
    this issue to execute arbitrary code.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4273-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected python-reportlab and / or python3-reportlab
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-reportlab");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3-reportlab");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"python-reportlab", pkgver:"3.3.0-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"python3-reportlab", pkgver:"3.3.0-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"python-reportlab", pkgver:"3.4.0-3ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"python3-reportlab", pkgver:"3.4.0-3ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"python-reportlab", pkgver:"3.5.23-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"python3-reportlab", pkgver:"3.5.23-1ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-reportlab / python3-reportlab");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0195.NASL
    descriptionAn update for python-reportlab is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133166
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133166
    titleRHEL 7 : python-reportlab (RHSA-2020:0195)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2020:0195. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133166);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/24");
    
      script_cve_id("CVE-2019-17626");
      script_xref(name:"RHSA", value:"2020:0195");
    
      script_name(english:"RHEL 7 : python-reportlab (RHSA-2020:0195)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for python-reportlab is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Python-reportlab is a library used for generation of PDF documents.
    
    Security Fix(es) :
    
    * python-reportlab: code injection in colors.py allows attacker to
    execute code (CVE-2019-17626)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2020:0195"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17626"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected python-reportlab, python-reportlab-debuginfo and /
    or python-reportlab-docs packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-reportlab");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-reportlab-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-reportlab-docs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2020:0195";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-reportlab-2.5-9.el7_7.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-reportlab-2.5-9.el7_7.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-reportlab-debuginfo-2.5-9.el7_7.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-reportlab-debuginfo-2.5-9.el7_7.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-reportlab-docs-2.5-9.el7_7.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-reportlab-docs-2.5-9.el7_7.1")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-reportlab / python-reportlab-debuginfo / etc");
      }
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0012_PYTHON-REPORTLAB.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-reportlab packages installed that are affected by a vulnerability: - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with
    last seen2020-03-18
    modified2020-03-08
    plugin id134317
    published2020-03-08
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134317
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : python-reportlab Vulnerability (NS-SA-2020-0012)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2020-0012. The text
    # itself is copyright (C) ZTE, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(134317);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/10");
    
      script_cve_id("CVE-2019-17626");
    
      script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : python-reportlab Vulnerability (NS-SA-2020-0012)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by a vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-reportlab packages installed that are
    affected by a vulnerability:
    
      - ReportLab through 3.5.26 allows remote code execution
        because of toColor(eval(arg)) in colors.py, as
        demonstrated by a crafted XML document with '");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2020-0012");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL python-reportlab packages. Note that updated packages may not be available yet. Please
    contact ZTE for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17626");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.04" &&
        release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.04": [
        "python-reportlab-2.5-9.el7_7.1",
        "python-reportlab-debuginfo-2.5-9.el7_7.1",
        "python-reportlab-docs-2.5-9.el7_7.1"
      ],
      "CGSL MAIN 5.04": [
        "python-reportlab-2.5-9.el7_7.1",
        "python-reportlab-debuginfo-2.5-9.el7_7.1",
        "python-reportlab-docs-2.5-9.el7_7.1"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-reportlab");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-0201.NASL
    descriptionFrom Red Hat Security Advisory 2020:0201 : An update for python-reportlab is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133185
    published2020-01-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133185
    titleOracle Linux 8 : python-reportlab (ELSA-2020-0201)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:0201 and 
    # Oracle Linux Security Advisory ELSA-2020-0201 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133185);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/27");
    
      script_cve_id("CVE-2019-17626");
      script_xref(name:"RHSA", value:"2020:0201");
    
      script_name(english:"Oracle Linux 8 : python-reportlab (ELSA-2020-0201)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2020:0201 :
    
    An update for python-reportlab is now available for Red Hat Enterprise
    Linux 8.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Python-reportlab is a library used for generation of PDF documents.
    
    Security Fix(es) :
    
    * python-reportlab: code injection in colors.py allows attacker to
    execute code (CVE-2019-17626)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-January/009542.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected python-reportlab package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python3-reportlab");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 8", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL8", cpu:"x86_64", reference:"python3-reportlab-3.4.0-6.el8_1.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python3-reportlab");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200121_PYTHON_REPORTLAB_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626)
    last seen2020-03-18
    modified2020-01-23
    plugin id133193
    published2020-01-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133193
    titleScientific Linux Security Update : python-reportlab on SL6.x i386/x86_64 (20200121)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2112.NASL
    descriptionIt was found that ReportLab, a Python library to create PDF documents, did not properly parse color strings, allowing an attacker to execute arbitrary code through a crafted input document. For Debian 8
    last seen2020-03-17
    modified2020-02-24
    plugin id133874
    published2020-02-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133874
    titleDebian DLA-2112-1 : python-reportlab security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0255-1.NASL
    descriptionThis update for python-reportlab fixes the following issues : CVE-2019-17626: Fixed a potential remote code execution because of the lack of input sanitization in toColor() (bsc#1154370). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133349
    published2020-01-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133349
    titleSUSE SLED15 / SLES15 Security Update : python-reportlab (SUSE-SU-2020:0255-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-0197.NASL
    descriptionFrom Red Hat Security Advisory 2020:0197 : An update for python-reportlab is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133155
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133155
    titleOracle Linux 6 : python-reportlab (ELSA-2020-0197)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-0195.NASL
    descriptionAn update for python-reportlab is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133311
    published2020-01-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133311
    titleCentOS 7 : python-reportlab (CESA-2020:0195)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4663.NASL
    descriptionIt was discovered that python-reportlab, a Python library to create PDF documents, is prone to a code injection vulnerability while parsing a color attribute. An attacker can take advantage of this flaw to execute arbitrary code if a specially crafted document is processed.
    last seen2020-05-03
    modified2020-04-27
    plugin id135983
    published2020-04-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135983
    titleDebian DSA-4663-1 : python-reportlab - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0197.NASL
    descriptionAn update for python-reportlab is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133168
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133168
    titleRHEL 6 : python-reportlab (RHSA-2020:0197)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200122_PYTHON_REPORTLAB_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626)
    last seen2020-03-18
    modified2020-01-23
    plugin id133197
    published2020-01-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133197
    titleScientific Linux Security Update : python-reportlab on SL7.x x86_64 (20200122)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-0195.NASL
    descriptionFrom Red Hat Security Advisory 2020:0195 : An update for python-reportlab is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133183
    published2020-01-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133183
    titleOracle Linux 7 : python-reportlab (ELSA-2020-0195)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1428.NASL
    descriptionAccording to the version of the python-reportlab package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with
    last seen2020-05-06
    modified2020-04-15
    plugin id135557
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135557
    titleEulerOS 2.0 SP3 : python-reportlab (EulerOS-SA-2020-1428)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-160.NASL
    descriptionThis update for python-reportlab fixes the following issues : - CVE-2019-17626: Fixed a potential remote code execution because of the lack of input sanitization in toColor() (bsc#1154370). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id133488
    published2020-02-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133488
    titleopenSUSE Security Update : python-reportlab (openSUSE-2020-160)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0230.NASL
    descriptionAn update for python-reportlab is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133283
    published2020-01-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133283
    titleRHEL 8 : python-reportlab (RHSA-2020:0230)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1129.NASL
    descriptionAccording to the version of the python-reportlab package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Python PDF generation library.Security Fix(es):ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with
    last seen2020-05-06
    modified2020-02-24
    plugin id133930
    published2020-02-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133930
    titleEulerOS 2.0 SP5 : python-reportlab (EulerOS-SA-2020-1129)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-D2FB999600.NASL
    descriptionRelease 3.5.34 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133241
    published2020-01-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133241
    titleFedora 30 : python-reportlab (2020-d2fb999600)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0201.NASL
    descriptionAn update for python-reportlab is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133189
    published2020-01-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133189
    titleRHEL 8 : python-reportlab (RHSA-2020:0201)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-F3E0BA2F79.NASL
    descriptionRelease 3.5.34 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133378
    published2020-01-31
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133378
    titleFedora 31 : python-reportlab (2020-f3e0ba2f79)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1390.NASL
    descriptionReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with
    last seen2020-06-01
    modified2020-06-02
    plugin id133554
    published2020-02-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133554
    titleAmazon Linux 2 : python-reportlab (ALAS-2020-1390)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0021_PYTHON-REPORTLAB.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has python-reportlab packages installed that are affected by a vulnerability: - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with
    last seen2020-03-18
    modified2020-03-08
    plugin id134313
    published2020-03-08
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134313
    titleNewStart CGSL MAIN 4.05 : python-reportlab Vulnerability (NS-SA-2020-0021)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-0197.NASL
    descriptionAn update for python-reportlab is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id133313
    published2020-01-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133313
    titleCentOS 6 : python-reportlab (CESA-2020:0197)

Redhat

advisories
  • bugzilla
    id1769661
    titleCVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentpython-reportlab-docs is earlier than 0:2.5-9.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20200195001
          • commentpython-reportlab-docs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20200195002
        • AND
          • commentpython-reportlab is earlier than 0:2.5-9.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20200195003
          • commentpython-reportlab is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20200195004
    rhsa
    idRHSA-2020:0195
    released2020-01-21
    severityImportant
    titleRHSA-2020:0195: python-reportlab security update (Important)
  • bugzilla
    id1769661
    titleCVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentpython-reportlab is earlier than 0:2.3-3.el6_10.1
            ovaloval:com.redhat.rhsa:tst:20200197001
          • commentpython-reportlab is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20200195004
        • AND
          • commentpython-reportlab-docs is earlier than 0:2.3-3.el6_10.1
            ovaloval:com.redhat.rhsa:tst:20200197003
          • commentpython-reportlab-docs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20200195002
    rhsa
    idRHSA-2020:0197
    released2020-01-21
    severityImportant
    titleRHSA-2020:0197: python-reportlab security update (Important)
  • bugzilla
    id1769661
    titleCVE-2019-17626 python-reportlab: code injection in colors.py allows attacker to execute code
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentpython-reportlab-debugsource is earlier than 0:3.4.0-6.el8_1.2
            ovaloval:com.redhat.rhsa:tst:20200201001
          • commentpython-reportlab-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20200201002
        • AND
          • commentpython3-reportlab is earlier than 0:3.4.0-6.el8_1.2
            ovaloval:com.redhat.rhsa:tst:20200201003
          • commentpython3-reportlab is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20200201004
    rhsa
    idRHSA-2020:0201
    released2020-01-24
    severityImportant
    titleRHSA-2020:0201: python-reportlab security update (Important)
  • rhsa
    idRHSA-2020:0230
rpms
  • python-reportlab-0:2.5-9.el7_7.1
  • python-reportlab-debuginfo-0:2.5-9.el7_7.1
  • python-reportlab-docs-0:2.5-9.el7_7.1
  • python-reportlab-0:2.3-3.el6_10.1
  • python-reportlab-debuginfo-0:2.3-3.el6_10.1
  • python-reportlab-docs-0:2.3-3.el6_10.1
  • python-reportlab-debugsource-0:3.4.0-6.el8_1.2
  • python3-reportlab-0:3.4.0-6.el8_1.2
  • python3-reportlab-debuginfo-0:3.4.0-6.el8_1.2
  • python-reportlab-debugsource-0:3.4.0-6.el8_0.2
  • python3-reportlab-0:3.4.0-6.el8_0.2
  • python3-reportlab-debuginfo-0:3.4.0-6.el8_0.2

References