Wiz
Vulnerability DatabaseCVE-2019-19450

CVE-2019-19450
Alma Linux vulnerability analysis and mitigation

Overview

CVE-2019-19450 affects python-reportlab, a Python library for generating PDFs and graphics. The vulnerability was discovered in versions before 3.5.31, where the start_unichar function in paraparser.py allows remote code execution through code injection when parsing a unichar element attribute in a crafted XML document (Red Hat Portal, NVD).

Technical details

The vulnerability exists in the paraparser component of ReportLab, specifically in the start_unichar function within paraparser.py. The issue stems from the unsafe evaluation of untrusted user input when processing unichar elements in XML documents (NVD). The vulnerability was discovered by Ravi Prakash Giri (Debian LTS).

Impact

This vulnerability allows attackers to execute arbitrary code remotely through specially crafted XML documents containing malicious unichar element attributes (Red Hat Portal). Given ReportLab's widespread use in PDF generation, this poses a significant security risk for applications processing untrusted XML input.

Mitigation and workarounds

The vulnerability has been fixed in ReportLab version 3.5.31 and later. Users should upgrade to the latest version to mitigate this security risk. Various Linux distributions have also released security updates to address this vulnerability, including Red Hat Enterprise Linux and Fedora (Red Hat Portal, Fedora Update).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo