CVE-2023-33733: RCE Vulnerability in ReportLab PDF Toolkit

On May 31st, 2023, a working exploit has been publicly released for a remote code execution (RCE) vulnerability (CVE-2023-33733), impacting ReportLab PDF Toolkit python libraries of versions prior to 3.6.13. The researcher of the POC has previously contacted ReportLab in April 2023, detailing this vulnerability and ReportLab has released a fix on April 27th, 2023, through ReportLab 3.6.13. 

ReportLab PDF Toolkit is an open-source project that allows the creation of documents in Adobe’s Portable Document Format (PDF) using the Python programming language. The POC focuses on bypassing sandbox restrictions on ‘rl_safe_eval’, a function initially meant to prevent malicious code execution. This bypass allows access to built-in python functions, allowing an attacker to achieve RCE. Many applications and libraries using the Reportlab library PDF Toolkit, are vulnerable to remote code execution while transforming malicious HTML to PDF. 

Based on the availability of a proof-of-concept exploit for CVE-2023-33733 and the widespread use of the library in HTML to PDF processing, we assess that there is a high likelihood of this vulnerability being exploited in the wild. 

Recommendation for CVE-2023-33733

Please follow your organization’s patching and testing guidelines to avoid any operational impact. 

Apply the latest security patch for ReportLab PDF Toolkit 

Arctic Wolf strongly recommends installing the latest version of ReportLab to prevent potential exploitation of this vulnerability. To install the fixed version, use pip install reportlab==3.6.13. More information can be found here: https://docs.reportlab.com/install/open_source_installation/  

References 

• https://docs.reportlab.com/releases/notes/whats-new-3613/  
• https://github.com/c53elyas/CVE-2023-33733  
• https://docs.reportlab.com/install/open_source_installation/  
• https://pepy.tech/project/reportlab