CVE-2019-17626

unknown

Published 2022-05-24 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

—

Description

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-17626

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2019-17626.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	fixed	`3.5.34-1`
debian	bullseye	fixed	`3.5.34-1`
debian	forky	fixed	`3.5.34-1`
debian	sid	fixed	`3.5.34-1`
debian	trixie	fixed	`3.5.34-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	reportlab	`<3.5.28`	`3.5.28`

References

https://nvd.nist.gov/vuln/detail/CVE-2019-17626
https://www.debian.org/security/2020/dsa-4663
https://web.archive.org/web/20191016111823/https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
https://usn.ubuntu.com/4273-1
https://security.netapp.com/advisory/ntap-20240719-0006
https://security.gentoo.org/glsa/202007-35
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM
https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html
https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3
https://github.com/pypa/advisory-database/tree/main/vulns/reportlab/PYSEC-2019-117.yaml
https://github.com/advisories/GHSA-qpg2-vx7j-3869
https://github.com/MrBitBucket/reportlab-mirror
https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
https://access.redhat.com/security/cve/cve-2019-17626
https://access.redhat.com/errata/RHSA-2020:0230
https://access.redhat.com/errata/RHSA-2020:0201
https://access.redhat.com/errata/RHSA-2020:0197
https://access.redhat.com/errata/RHSA-2020:0195
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html
https://www.suse.com/security/cve/CVE-2019-17626.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL/

Verify integrity in audit chain (admin only). AS-IS.