PT-2023-6316 · Reportlab+6 · Reportlab+6

Ravi Prakash Giri

Publicado

2023-09-20

Atualizado

2024-05-24

CVE-2019-19450

CVSS v2.0

Crítica

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ReportLab versions prior to 3.5.31

Description The issue is related to the start unichar function in paraparser.py, which incorrectly processes XML documents. This allows a remote attacker to execute arbitrary code by crafting a malicious XML document with a <unichar code> element containing Python code.

Recommendations For versions prior to 3.5.31, update to version 3.5.31 or later to resolve the issue. As a temporary workaround, consider restricting the use of the start unichar function in paraparser.py to minimize the risk of exploitation. Avoid evaluating untrusted user input in the unichar element of XML documents until the issue is resolved.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-91

Identificadores relacionados

ALSA-2023:5790

BDU:2023-07027

CESA-2023_5616

CESA-2023_5790

CVE-2019-19450

DLA-3590-1

GHSA-PJ98-2XF6-CFF5

OPENSUSE-SU-2023_3972-1

RHSA-2023:5616

RHSA-2023:5786

RHSA-2023:5787

RHSA-2023:5788

RHSA-2023:5789

RHSA-2023:5790

RHSA-2023_5616

RHSA-2023_5790

SUSE-SU-2023:3972-1

SUSE-SU-2023:4048-1

Produtos afetados

Almalinux

Astra Linux

Centos

Red Hat

Red Os

Reportlab

Suse

PT-2023-6316 · Reportlab+6 · Reportlab+6

CVE-2019-19450

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 42