Miggo Logo

CVE-2018-17057: TCPDF vulnerable to attackers triggering deserialization of arbitrary data

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.97141%
Published
10/6/2022
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tecnickcom/tcpdfcomposer< 6.2.226.2.22
fooman/tcpdfcomposer< 6.2.226.2.22
la-haute-societe/tcpdfcomposer< 6.2.226.2.22
spoonity/tcpdfcomposer< 6.2.226.2.22

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe usage of file existence checks (file_exists) and file read operations (file_get_contents) on user-controlled paths. The patch in 6.2.22 introduced TCPDF_STATIC::file_exists to block non-http/https protocols, indicating these functions previously lacked proper validation. Functions like addTTFfont (fonts) and _parsejpeg (images) used these vulnerable checks, allowing 'phar://' deserialization. The high confidence comes from explicit protocol restriction logic added in the fix and CVE details linking phar wrappers to the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in T*P** ***or* *.*.**. *tt**k*rs **n tri***r **s*ri*liz*tion o* *r*itr*ry **t* vi* t** `p**r://` wr*pp*r.

Reasoning

T** vuln*r**ility st*ms *rom uns*** us*** o* *il* *xist*n** ****ks (*il*_*xists) *n* *il* r*** op*r*tions (*il*_**t_*ont*nts) on us*r-*ontroll** p*t*s. T** p*t** in *.*.** intro*u*** T*P**_ST*TI*::*il*_*xists to *lo*k non-*ttp/*ttps proto*ols, in*i**