Bug 1930416 (CVE-2020-28463) - CVE-2020-28463 python-reportlab: Server-side request forgery via img tags
Summary: CVE-2020-28463 python-reportlab: Server-side request forgery via img tags
Status: NEW
Alias: CVE-2020-28463
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1930417 1933896
Blocks: 1930418
TreeView+ depends on / blocked
Reported: 2021-02-18 20:17 UTC by Pedro Sampaio
Modified: 2023-07-07 08:33 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-reportlab. A Server-side Request Forgery (SSRF) vulnerability is possible via img tags.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-18 20:17:52 UTC
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags.



Comment 1 Pedro Sampaio 2021-02-18 20:18:18 UTC
Created python-reportlab tracking bugs for this issue:

Affects: fedora-all [bug 1930417]

Comment 3 Jason Shepherd 2021-02-22 05:03:04 UTC
Set CVSS Confidentiality metrics to Low and Integrity to Low because the contents of the attacked address aren't disclosed, only the presence of the address and potentially the Integrity if the address allows state changing actions via HTTP get method.

Comment 4 Mark Cooper 2021-02-23 00:02:04 UTC
External References:


Comment 7 Todd Cullum 2021-03-02 00:36:34 UTC

This flaw is out of support scope for the following products:

* Red Hat Enterprise Linux 6
* Red Hat Enterprise Linux 7

To learn more about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/

Note You need to log in before you can comment on or make changes to this bug.