June 1, 2023

RCE Vulnerability Affecting ReportLab PDF library Exploited in The Wild

Researcher released an exploit for a Remote Code Exaction (RCE) vulnerability affecting ReportLab Toolkit, a popular Python library for generating PDF files from HTML input.

the issue was reported to ReportLab’s developers upon discovery.

The Vulnerability

• CVE-2023-3733  – RCE vulnerability which allows an attacker to bypass sandbox restrictions on the ‘rl_safe_eval’ function, which suppose to prevent malicious code execution.

Affected Products

The vulnerability impacts all earlier versions of the ReportLab PDF library.

Mitigation

CYREBRO recommends to update the PDF library to ReportLab version 3.6.13.

References: GitHub