CVE-2020-28463

Server-side Request Forgery (SSRF)

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

Todas las versiones del paquete reportlab son vulnerables a un ataque de tipo Server-side Request Forgery (SSRF) por medio de etiquetas img. Para reducir el riesgo, utilice TrustSchemes y TrustHosts (consulte la documentación de Reportlab). Pasos para reproducir por Karan Bamal: 1. Descargue e instale el último paquete de reportlab 2. Vaya a demos -) odyssey -) dodyssey 3. En el archivo de texto odyssey.txt que necesita ser convertido a pdf inyecte (img src="http://127.0.0.1:5000" valign= top" /) 4. Cree un oyente nc nc -lp 5000 5. Ejecute python3 dodyssey.py 6. Recibirá un resultado en su nc que muestra que hemos procedido con éxito a enviar una petición del lado del servidor 7. dodyssey.py mostrará un error ya que no contiene un archivo img en la URL, pero somos capaces de hacer un ataque de tipo SSRF

*Credits: Karan Bamal

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-11-12 CVE Reserved
2021-02-18 CVE Published
2023-11-08 EPSS Updated
2024-09-17 CVE Updated
2024-09-17 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (5)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html	Mailing List

URL	Date	SRC
https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145	2024-09-17

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZQSFCID67K6BTC655EQY6MNOF35QI44	2023-11-07
https://www.reportlab.com/docs/reportlab-userguide.pdf	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Reportlab Search vendor "Reportlab"		Reportlab Search vendor "Reportlab" for product "Reportlab"				*		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected