CVE-2019-19450
📋 TL;DR
CVE-2019-19450 is a critical remote code execution vulnerability in ReportLab's paraparser module. Attackers can execute arbitrary Python code by crafting malicious XML documents containing specially formatted unichar elements. This affects any application using vulnerable versions of ReportLab to parse XML input.
💻 Affected Systems
- ReportLab
📦 What is this software?
Reportlab by Reportlab
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to data exfiltration, ransomware deployment, or creation of persistent backdoors.
If Mitigated
Limited impact if XML parsing is restricted to trusted sources and proper input validation is implemented.
🎯 Exploit Status
Exploit code is publicly available on Pastebin and other sources. The vulnerability is similar to CVE-2019-17626, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.31 and later
Vendor Advisory: https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md
Restart Required: No
Instructions:
1. Upgrade ReportLab to version 3.5.31 or later using pip: 'pip install --upgrade reportlab==3.5.31' 2. Verify the upgrade completed successfully 3. Test application functionality with patched version
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject XML documents containing unichar elements with code attributes
XML Processing Restriction
allDisable or restrict XML parsing functionality in ReportLab if not required
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems and restrict access to trusted sources only
- Deploy web application firewall (WAF) rules to block XML payloads containing unichar elements with code attributes
🔍 How to Verify
Check if Vulnerable:
Check if ReportLab version is below 3.5.31 and if application processes XML input from untrusted sourcesCheck Version:
python -c "import reportlab; print(reportlab.__version__)"Verify Fix Applied:
Verify ReportLab version is 3.5.31 or later and test with known malicious XML payloads to ensure they are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual Python process executions from web applications
- XML parsing errors containing unichar elements
- Unexpected system command executions
Network Indicators:
- XML payloads containing '<unichar code="' patterns in HTTP requests
- Outbound connections from application servers to unknown destinations
SIEM Query:
source="web_logs" AND (uri_query="*unichar*" OR request_body="*unichar code=*")🔗 References
- https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md
- https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/
- https://pastebin.com/5MicRrr4
- https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md
- https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ/
- https://pastebin.com/5MicRrr4
