CVE-2019-19450

CRITICAL

ReportLab <3.5.31 - RCE

Title source: llm

Description

paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

References (7)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/

[Release Notes] https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md

View Writeup ZIP pw:eip

[Third Party Advisory] https://pastebin.com/5MicRrr4

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/

Scores

CVSS v3 9.8

EPSS 0.0948

EPSS Percentile 92.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-91

Status published

Products (3)

debian/debian_linux 10.0

pypi/reportlab 0 - 3.5.31PyPI

reportlab/reportlab < 3.5.31

Published Sep 20, 2023

Tracked Since Feb 18, 2026