Vulnerabilities > CVE-2019-17626 - XML Injection (aka Blind XPath Injection) vulnerability in Reportlab
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- XML Injection An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
- XPath Injection An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4273-1.NASL description It was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133551 published 2020-02-07 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133551 title Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : python-reportlab vulnerability (USN-4273-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4273-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(133551); script_version("1.2"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-17626"); script_xref(name:"USN", value:"4273-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : python-reportlab vulnerability (USN-4273-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4273-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected python-reportlab and / or python3-reportlab packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-reportlab"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3-reportlab"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"python-reportlab", pkgver:"3.3.0-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"python3-reportlab", pkgver:"3.3.0-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"python-reportlab", pkgver:"3.4.0-3ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"python3-reportlab", pkgver:"3.4.0-3ubuntu0.1")) flag++; if (ubuntu_check(osver:"19.10", pkgname:"python-reportlab", pkgver:"3.5.23-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"19.10", pkgname:"python3-reportlab", pkgver:"3.5.23-1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-reportlab / python3-reportlab"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0195.NASL description An update for python-reportlab is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133166 published 2020-01-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133166 title RHEL 7 : python-reportlab (RHSA-2020:0195) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0195. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133166); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-17626"); script_xref(name:"RHSA", value:"2020:0195"); script_name(english:"RHEL 7 : python-reportlab (RHSA-2020:0195)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for python-reportlab is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0195" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17626" ); script_set_attribute( attribute:"solution", value: "Update the affected python-reportlab, python-reportlab-debuginfo and / or python-reportlab-docs packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-reportlab"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-reportlab-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-reportlab-docs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0195"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-reportlab-2.5-9.el7_7.1")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-reportlab-2.5-9.el7_7.1")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-reportlab-debuginfo-2.5-9.el7_7.1")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-reportlab-debuginfo-2.5-9.el7_7.1")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-reportlab-docs-2.5-9.el7_7.1")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-reportlab-docs-2.5-9.el7_7.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-reportlab / python-reportlab-debuginfo / etc"); } }NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2020-0012_PYTHON-REPORTLAB.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-reportlab packages installed that are affected by a vulnerability: - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with last seen 2020-03-18 modified 2020-03-08 plugin id 134317 published 2020-03-08 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134317 title NewStart CGSL CORE 5.04 / MAIN 5.04 : python-reportlab Vulnerability (NS-SA-2020-0012) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2020-0012. The text # itself is copyright (C) ZTE, Inc. include('compat.inc'); if (description) { script_id(134317); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/10"); script_cve_id("CVE-2019-17626"); script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : python-reportlab Vulnerability (NS-SA-2020-0012)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by a vulnerability."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-reportlab packages installed that are affected by a vulnerability: - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '"); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2020-0012"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL python-reportlab packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17626"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL CORE 5.04" && release !~ "CGSL MAIN 5.04") audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL CORE 5.04": [ "python-reportlab-2.5-9.el7_7.1", "python-reportlab-debuginfo-2.5-9.el7_7.1", "python-reportlab-docs-2.5-9.el7_7.1" ], "CGSL MAIN 5.04": [ "python-reportlab-2.5-9.el7_7.1", "python-reportlab-debuginfo-2.5-9.el7_7.1", "python-reportlab-docs-2.5-9.el7_7.1" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-reportlab"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-0201.NASL description From Red Hat Security Advisory 2020:0201 : An update for python-reportlab is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133185 published 2020-01-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133185 title Oracle Linux 8 : python-reportlab (ELSA-2020-0201) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0201 and # Oracle Linux Security Advisory ELSA-2020-0201 respectively. # include("compat.inc"); if (description) { script_id(133185); script_version("1.2"); script_cvs_date("Date: 2020/01/27"); script_cve_id("CVE-2019-17626"); script_xref(name:"RHSA", value:"2020:0201"); script_name(english:"Oracle Linux 8 : python-reportlab (ELSA-2020-0201)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2020:0201 : An update for python-reportlab is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2020-January/009542.html" ); script_set_attribute( attribute:"solution", value:"Update the affected python-reportlab package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python3-reportlab"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 8", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL8", cpu:"x86_64", reference:"python3-reportlab-3.4.0-6.el8_1.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python3-reportlab"); }NASL family Scientific Linux Local Security Checks NASL id SL_20200121_PYTHON_REPORTLAB_ON_SL6_X.NASL description Security Fix(es) : - python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) last seen 2020-03-18 modified 2020-01-23 plugin id 133193 published 2020-01-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133193 title Scientific Linux Security Update : python-reportlab on SL6.x i386/x86_64 (20200121) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2112.NASL description It was found that ReportLab, a Python library to create PDF documents, did not properly parse color strings, allowing an attacker to execute arbitrary code through a crafted input document. For Debian 8 last seen 2020-03-17 modified 2020-02-24 plugin id 133874 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133874 title Debian DLA-2112-1 : python-reportlab security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0255-1.NASL description This update for python-reportlab fixes the following issues : CVE-2019-17626: Fixed a potential remote code execution because of the lack of input sanitization in toColor() (bsc#1154370). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133349 published 2020-01-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133349 title SUSE SLED15 / SLES15 Security Update : python-reportlab (SUSE-SU-2020:0255-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-0197.NASL description From Red Hat Security Advisory 2020:0197 : An update for python-reportlab is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133155 published 2020-01-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133155 title Oracle Linux 6 : python-reportlab (ELSA-2020-0197) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-0195.NASL description An update for python-reportlab is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133311 published 2020-01-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133311 title CentOS 7 : python-reportlab (CESA-2020:0195) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4663.NASL description It was discovered that python-reportlab, a Python library to create PDF documents, is prone to a code injection vulnerability while parsing a color attribute. An attacker can take advantage of this flaw to execute arbitrary code if a specially crafted document is processed. last seen 2020-05-03 modified 2020-04-27 plugin id 135983 published 2020-04-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135983 title Debian DSA-4663-1 : python-reportlab - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0197.NASL description An update for python-reportlab is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133168 published 2020-01-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133168 title RHEL 6 : python-reportlab (RHSA-2020:0197) NASL family Scientific Linux Local Security Checks NASL id SL_20200122_PYTHON_REPORTLAB_ON_SL7_X.NASL description Security Fix(es) : - python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) last seen 2020-03-18 modified 2020-01-23 plugin id 133197 published 2020-01-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133197 title Scientific Linux Security Update : python-reportlab on SL7.x x86_64 (20200122) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-0195.NASL description From Red Hat Security Advisory 2020:0195 : An update for python-reportlab is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133183 published 2020-01-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133183 title Oracle Linux 7 : python-reportlab (ELSA-2020-0195) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1428.NASL description According to the version of the python-reportlab package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with last seen 2020-05-06 modified 2020-04-15 plugin id 135557 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135557 title EulerOS 2.0 SP3 : python-reportlab (EulerOS-SA-2020-1428) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-160.NASL description This update for python-reportlab fixes the following issues : - CVE-2019-17626: Fixed a potential remote code execution because of the lack of input sanitization in toColor() (bsc#1154370). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 133488 published 2020-02-05 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133488 title openSUSE Security Update : python-reportlab (openSUSE-2020-160) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0230.NASL description An update for python-reportlab is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133283 published 2020-01-28 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133283 title RHEL 8 : python-reportlab (RHSA-2020:0230) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1129.NASL description According to the version of the python-reportlab package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Python PDF generation library.Security Fix(es):ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with last seen 2020-05-06 modified 2020-02-24 plugin id 133930 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133930 title EulerOS 2.0 SP5 : python-reportlab (EulerOS-SA-2020-1129) NASL family Fedora Local Security Checks NASL id FEDORA_2020-D2FB999600.NASL description Release 3.5.34 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133241 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133241 title Fedora 30 : python-reportlab (2020-d2fb999600) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0201.NASL description An update for python-reportlab is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133189 published 2020-01-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133189 title RHEL 8 : python-reportlab (RHSA-2020:0201) NASL family Fedora Local Security Checks NASL id FEDORA_2020-F3E0BA2F79.NASL description Release 3.5.34 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133378 published 2020-01-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133378 title Fedora 31 : python-reportlab (2020-f3e0ba2f79) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2020-1390.NASL description ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with last seen 2020-06-01 modified 2020-06-02 plugin id 133554 published 2020-02-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133554 title Amazon Linux 2 : python-reportlab (ALAS-2020-1390) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2020-0021_PYTHON-REPORTLAB.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has python-reportlab packages installed that are affected by a vulnerability: - ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with last seen 2020-03-18 modified 2020-03-08 plugin id 134313 published 2020-03-08 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134313 title NewStart CGSL MAIN 4.05 : python-reportlab Vulnerability (NS-SA-2020-0021) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-0197.NASL description An update for python-reportlab is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python-reportlab is a library used for generation of PDF documents. Security Fix(es) : * python-reportlab: code injection in colors.py allows attacker to execute code (CVE-2019-17626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 133313 published 2020-01-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133313 title CentOS 6 : python-reportlab (CESA-2020:0197)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
- https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md
- https://access.redhat.com/errata/RHSA-2020:0197
- https://access.redhat.com/errata/RHSA-2020:0195
- https://access.redhat.com/errata/RHSA-2020:0201
- https://access.redhat.com/errata/RHSA-2020:0230
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html
- https://usn.ubuntu.com/4273-1/
- https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html
- https://www.debian.org/security/2020/dsa-4663
- https://security.gentoo.org/glsa/202007-35
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM/