Published: 16/10/2019 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

ReportLab up to and including 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

Vulnerable Product	Search on Vulmon	Subscribe to Product
reportlab reportlab

Debian Bug report logs - #942763 python-reportlab: CVE-2019-17626: remote code execution in colorspy Package: src:python-reportlab; Maintainer for src:python-reportlab is Matthias Klose <doko@debianorg>; Reported by: Hugo Lefeuvre <hle@debianorg> Date: Mon, 21 Oct 2019 08:30:02 UTC Severity: important Tags: securi ...

ReportLab could be made to run programs as your login if it opened a specially crafted file ...

Synopsis Important: python-reportlab security update Type/Severity Security Advisory: Important Topic An update for python-reportlab is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Important A ...

Synopsis Important: python-reportlab security update Type/Severity Security Advisory: Important Topic An update for python-reportlab is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...

Synopsis Important: python-reportlab security update Type/Severity Security Advisory: Important Topic An update for python-reportlab is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...

Synopsis Important: python-reportlab security update Type/Severity Security Advisory: Important Topic An update for python-reportlab is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...

It was discovered that python-reportlab, a Python library to create PDF documents, is prone to a code injection vulnerability while parsing a color attribute An attacker can take advantage of this flaw to execute arbitrary code if a specially crafted document is processed For the oldstable distribution (stretch), this problem has been fixed in ve ...

ReportLab through 3526 allows remote code execution because of toColor(eval(arg)) in colorspy, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code (CVE-2019-17626) ...

CWE-91 https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md https://access.redhat.com/errata/RHSA-2020:0197 https://access.redhat.com/errata/RHSA-2020:0195 https://access.redhat.com/errata/RHSA-2020:0201 https://access.redhat.com/errata/RHSA-2020:0230 http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html https://usn.ubuntu.com/4273-1/https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html https://www.debian.org/security/2020/dsa-4663 https://security.gentoo.org/glsa/202007-35 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942763 https://usn.ubuntu.com/4273-1/https://nvd.nist.gov

CVE-2019-17626

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect