CVE-2023-33733
Published: 05 June 2023
Summary
CVE-2023-33733 is a high-severity Code Injection (CWE-94) vulnerability in Reportlab Reportlab. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Reportlab versions up to 3.6.12 contain a code injection vulnerability that permits arbitrary code execution when a crafted PDF file is processed. The flaw is tracked under CVE-2023-33733 with a CVSS 3.1 base score of 7.8 and is associated with CWE-94. The affected component is the Reportlab PDF generation library itself, which fails to safely handle certain inputs during PDF parsing or rendering.
An attacker can exploit the issue by supplying a malicious PDF that triggers code execution on the victim system. The attack requires local access and user interaction such as opening the file, after which the adversary obtains full confidentiality, integrity, and availability impact without needing prior privileges.
Fedora and Debian security advisories referenced in the CVE entry recommend updating Reportlab packages to patched versions; the Debian LTS announcement specifically addresses availability of corrected builds for affected releases. Public proof-of-concept code has been published, and the EPSS score currently stands at 0.3023.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1765
Vulnerability details
Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.