{"url":"http://public2.vulnerablecode.io/api/packages/14422?format=json","purl":"pkg:pypi/reportlab@3.4.0","type":"pypi","namespace":"","name":"reportlab","version":"3.4.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.5.55","latest_non_vulnerable_version":"3.6.13","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35424?format=json","vulnerability_id":"VCID-7ae4-65em-sbdg","summary":"ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color=\"' followed by arbitrary Python code.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0195","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0195"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0197","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0197"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0201","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0201"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0230","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0230"},{"reference_url":"https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code","reference_id":"","reference_type":"","scores":[],"url":"https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code"},{"reference_url":"https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md","reference_id":"","reference_type":"","scores":[],"url":"https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md"},{"reference_url":"https://github.com/advisories/GHSA-qpg2-vx7j-3869","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qpg2-vx7j-3869"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL/"},{"reference_url":"https://security.gentoo.org/glsa/202007-35","reference_id":"","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202007-35"},{"reference_url":"https://usn.ubuntu.com/4273-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4273-1/"},{"reference_url":"https://www.debian.org/security/2020/dsa-4663","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2020/dsa-4663"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/14443?format=json","purl":"pkg:pypi/reportlab@3.5.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkaa-rknn-p7au"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/reportlab@3.5.28"}],"aliases":["CVE-2019-17626","GHSA-qpg2-vx7j-3869","PYSEC-2019-117"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7ae4-65em-sbdg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6884?format=json","vulnerability_id":"VCID-jkaa-rknn-p7au","summary":"url request injection","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28463","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28463"},{"reference_url":"https://github.com/advisories/GHSA-mpvw-25mg-59vx","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mpvw-25mg-59vx"},{"reference_url":"https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145","reference_id":"","reference_type":"","scores":[],"url":"https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145"},{"reference_url":"https://www.reportlab.com/docs/reportlab-userguide.pdf","reference_id":"","reference_type":"","scores":[],"url":"https://www.reportlab.com/docs/reportlab-userguide.pdf"},{"reference_url":"https://security.archlinux.org/AVG-1592","reference_id":"AVG-1592","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1592"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19965?format=json","purl":"pkg:pypi/reportlab@3.5.55","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/reportlab@3.5.55"}],"aliases":["CVE-2020-28463","GHSA-mpvw-25mg-59vx","PYSEC-2021-146","SNYK-PYTHON-REPORTLAB-1022145"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jkaa-rknn-p7au"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/reportlab@3.4.0"}