Server-side Request Forgery (SSRF) Affecting reportlab Open this link in a new tab package, versions [0,3.5.55)


0.0
medium
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-PYTHON-REPORTLAB-1022145

  • published

    3 Jan 2021

  • disclosed

    27 Oct 2020

  • credit

    Karan Bamal

How to fix?

Upgrade reportlab to version 3.5.55 or higher.

Overview

reportlab is a Python library for generating PDFs and graphics.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation), introduced in version 3.5.55.

Steps to reproduce by Karan Bamal:

  1. Download and install the latest package of reportlab
  2. Go to demos -> odyssey -> dodyssey
  3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/>
  4. Create a nc listener nc -lp 5000
  5. Run python3 dodyssey.py
  6. You will get a hit on your nc showing we have successfully proceded to send a server side request
  7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF