GHSA-pj98-2xf6-cff5

Source

https://github.com/advisories/GHSA-pj98-2xf6-cff5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-pj98-2xf6-cff5/GHSA-pj98-2xf6-cff5.json

Aliases

CVE-2019-19450

Published

2023-09-20T15:30:51Z

Modified

2023-11-08T04:01:28.419584Z

Details

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-19450
https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md
https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md#release-353115102019
https://hg.reportlab.com/hg-public/reportlab
https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html
https://pastebin.com/5MicRrr4

Affected packages

PyPI / reportlab

Package

Name: reportlab

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.5.31

Affected versions

2.*

2.0

2.3

2.4

2.5

2.6

2.7

3.*

3.0

3.1.8

3.1.44

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

3.5.2

3.5.4

3.5.5

3.5.6

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.5.16

3.5.17

3.5.18

3.5.19

3.5.20

3.5.21

3.5.23

3.5.26

3.5.28