CVE-2019-19450

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ReportLab versions prior to 3.5.31

Description The issue is related to the start unichar function in paraparser.py, which incorrectly processes XML documents. This allows a remote attacker to execute arbitrary code by crafting a malicious XML document with a <unichar code> element containing Python code.

Recommendations For versions prior to 3.5.31, update to version 3.5.31 or later to resolve the issue. As a temporary workaround, consider restricting the use of the start unichar function in paraparser.py to minimize the risk of exploitation. Avoid evaluating untrusted user input in the unichar element of XML documents until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-91

Related Identifiers

ALSA-2023:5790

BDU:2023-07027

CESA-2023_5616

CESA-2023_5790

CVE-2019-19450

DLA-3590-1

GHSA-PJ98-2XF6-CFF5

OPENSUSE-SU-2023_3972-1

RHSA-2023:5616

RHSA-2023:5786

RHSA-2023:5787

RHSA-2023:5788

RHSA-2023:5789

RHSA-2023:5790

RHSA-2023_5616

RHSA-2023_5790

SUSE-SU-2023:3972-1

SUSE-SU-2023:4048-1

Affected Products

Almalinux

Astra Linux

Centos

Red Hat

Red Os

Reportlab

Suse

CVE-2019-19450

Weakness Enumeration

Related Identifiers

Affected Products

References · 42