Bug 1930416 (CVE-2020-28463)
| Summary: | CVE-2020-28463 python-reportlab: Server-side request forgery via img tags | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdettelb, bdpepple, i, icon, mkasik, peter, trpost, williamjmorenor |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in python-reportlab. A Server-side Request Forgery (SSRF) vulnerability is possible via img tags.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1930417, 1933896 | ||
| Bug Blocks: | 1930418 | ||
|
Description
Pedro Sampaio
2021-02-18 20:17:52 UTC
Created python-reportlab tracking bugs for this issue: Affects: fedora-all [bug 1930417] Set CVSS Confidentiality metrics to Low and Integrity to Low because the contents of the attacked address aren't disclosed, only the presence of the address and potentially the Integrity if the address allows state changing actions via HTTP get method. External References: https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145 Statement: This flaw is out of support scope for the following products: * Red Hat Enterprise Linux 6 * Red Hat Enterprise Linux 7 To learn more about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ |