Cyber Resilience

CVE-2023-33733

HighPublic PoC

Published: 05 June 2023

Published
05 June 2023
Modified
08 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3023 96.8th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33733 is a high-severity Code Injection (CWE-94) vulnerability in Reportlab Reportlab. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Reportlab versions up to 3.6.12 contain a code injection vulnerability that permits arbitrary code execution when a crafted PDF file is processed. The flaw is tracked under CVE-2023-33733 with a CVSS 3.1 base score of 7.8 and is associated with CWE-94. The affected component is the Reportlab PDF generation library itself, which fails to safely handle certain inputs during PDF parsing or rendering.

An attacker can exploit the issue by supplying a malicious PDF that triggers code execution on the victim system. The attack requires local access and user interaction such as opening the file, after which the adversary obtains full confidentiality, integrity, and availability impact without needing prior privileges.

Fedora and Debian security advisories referenced in the CVE entry recommend updating Reportlab packages to patched versions; the Debian LTS announcement specifically addresses availability of corrected builds for affected releases. Public proof-of-concept code has been published, and the EPSS score currently stands at 0.3023.

EU & UK References

Vulnerability details

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

reportlab
reportlab
≤ 3.6.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References