Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01aHc0LW03ZjMtaGh4OM4AAvLl
TCPDF vulnerable to attackers triggering deserialization of arbitrary data
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar://
wrapper.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01aHc0LW03ZjMtaGh4OM4AAvLl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-5hw4-m7f3-hhx8, CVE-2018-17057
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-17057
- https://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5
- https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26ed
- https://contao.org/en/news/security-vulnerability-cve-2018-17057.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/wallabag/tcpdf/CVE-2018-17057.yaml
- https://www.exploit-db.com/exploits/46634/
- http://packetstormsecurity.com/files/152200/TCPDF-6.2.19-Deserialization-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/152360/LimeSurvey-Deserialization-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2019/Mar/36
- https://github.com/FriendsOfPHP/security-advisories/blob/master/fooman/tcpdf/CVE-2018-17057.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/la-haute-societe/tcpdf/CVE-2018-17057.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/spoonity/tcpdf/CVE-2018-17057.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/tecnickcom/tcpdf/CVE-2018-17057.yaml
- https://github.com/advisories/GHSA-5hw4-m7f3-hhx8
Blast Radius: 36.9
Affected Packages
packagist:spoonity/tcpdf
Dependent packages: 0Dependent repositories: 0
Downloads: 615 total
Affected Version Ranges: < 6.2.22
Fixed in: 6.2.22
All affected versions: 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.0.21, 6.0.22, 6.0.23, 6.0.24, 6.0.25, 6.0.26, 6.0.27, 6.0.28, 6.0.29, 6.0.30, 6.0.31, 6.0.32, 6.0.33, 6.0.34, 6.0.35, 6.0.36, 6.0.37, 6.0.38, 6.0.39, 6.0.40, 6.0.41, 6.0.42, 6.0.43, 6.0.44, 6.0.45, 6.0.46, 6.0.47, 6.0.48, 6.0.49, 6.0.50, 6.0.51, 6.0.52, 6.0.53, 6.0.54, 6.0.55, 6.0.56, 6.0.57, 6.0.58, 6.0.59, 6.0.60, 6.0.61, 6.0.62, 6.0.63, 6.0.64, 6.0.65, 6.0.66, 6.0.67, 6.0.68, 6.0.69, 6.0.70, 6.0.71, 6.0.72, 6.0.73, 6.0.74, 6.0.75, 6.0.76, 6.0.77, 6.0.78, 6.0.79, 6.0.80, 6.0.81, 6.0.82, 6.0.83, 6.0.84, 6.0.85, 6.0.86, 6.0.87, 6.0.88, 6.0.89, 6.0.90, 6.0.91, 6.0.92, 6.0.93, 6.0.94, 6.0.95, 6.0.96, 6.0.97, 6.0.98, 6.0.99, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12
All unaffected versions:
packagist:la-haute-societe/tcpdf
Dependent packages: 0Dependent repositories: 0
Downloads: 1,515 total
Affected Version Ranges: < 6.2.22
Fixed in: 6.2.22
All affected versions: 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.0.21, 6.0.22, 6.0.23, 6.0.24, 6.0.25, 6.0.26, 6.0.27, 6.0.28, 6.0.29, 6.0.30, 6.0.31, 6.0.32, 6.0.33, 6.0.34, 6.0.35, 6.0.36, 6.0.37, 6.0.38, 6.0.39, 6.0.40, 6.0.41, 6.0.42, 6.0.43, 6.0.44, 6.0.45, 6.0.46, 6.0.47, 6.0.48, 6.0.49, 6.0.50, 6.0.51, 6.0.52, 6.0.53, 6.0.54, 6.0.55, 6.0.56, 6.0.57, 6.0.58, 6.0.59, 6.0.60, 6.0.61, 6.0.62, 6.0.63, 6.0.64, 6.0.65, 6.0.66, 6.0.67, 6.0.68, 6.0.69, 6.0.70, 6.0.71, 6.0.72, 6.0.73, 6.0.74, 6.0.75, 6.0.76, 6.0.77, 6.0.78, 6.0.79, 6.0.80, 6.0.81, 6.0.82, 6.0.83, 6.0.84, 6.0.85, 6.0.86, 6.0.87, 6.0.88, 6.0.89, 6.0.90, 6.0.91, 6.0.92, 6.0.93, 6.0.94, 6.0.95, 6.0.96, 6.0.97, 6.0.98, 6.0.99, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14
All unaffected versions: 6.2.26
packagist:fooman/tcpdf
Dependent packages: 0Dependent repositories: 6
Downloads: 982,484 total
Affected Version Ranges: < 6.2.22
Fixed in: 6.2.22
All affected versions: 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.0.21, 6.0.22, 6.0.23, 6.0.24, 6.0.25, 6.0.26, 6.0.27, 6.0.28, 6.0.29, 6.0.30, 6.0.31, 6.0.32, 6.0.33, 6.0.34, 6.0.35, 6.0.36, 6.0.37, 6.0.38, 6.0.39, 6.0.40, 6.0.41, 6.0.42, 6.0.43, 6.0.44, 6.0.45, 6.0.46, 6.0.47, 6.0.48, 6.0.49, 6.0.50, 6.0.51, 6.0.52, 6.0.53, 6.0.54, 6.0.55, 6.0.56, 6.0.57, 6.0.58, 6.0.59, 6.0.60, 6.0.61, 6.0.62, 6.0.63, 6.0.64, 6.0.65, 6.0.66, 6.0.67, 6.0.68, 6.0.69, 6.0.70, 6.0.71, 6.0.72, 6.0.73, 6.0.74, 6.0.75, 6.0.76, 6.0.77, 6.0.78, 6.0.79, 6.0.80, 6.0.81, 6.0.82, 6.0.83, 6.0.84, 6.0.85, 6.0.86, 6.0.87, 6.0.88, 6.0.89, 6.0.90, 6.0.91, 6.0.92, 6.0.93, 6.0.94, 6.0.95, 6.0.96, 6.0.97, 6.0.98, 6.0.99, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13
All unaffected versions: 6.2.22, 6.2.25, 6.3.2, 6.3.5, 6.4.4
packagist:tecnickcom/tcpdf
Dependent packages: 431Dependent repositories: 5,837
Downloads: 67,472,418 total
Affected Version Ranges: < 6.2.22
Fixed in: 6.2.22
All affected versions: 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.0.21, 6.0.22, 6.0.23, 6.0.24, 6.0.25, 6.0.26, 6.0.27, 6.0.28, 6.0.29, 6.0.30, 6.0.31, 6.0.32, 6.0.33, 6.0.34, 6.0.35, 6.0.36, 6.0.37, 6.0.38, 6.0.39, 6.0.40, 6.0.41, 6.0.42, 6.0.43, 6.0.44, 6.0.45, 6.0.46, 6.0.47, 6.0.48, 6.0.49, 6.0.50, 6.0.51, 6.0.52, 6.0.53, 6.0.54, 6.0.55, 6.0.56, 6.0.57, 6.0.58, 6.0.59, 6.0.60, 6.0.61, 6.0.62, 6.0.63, 6.0.64, 6.0.65, 6.0.66, 6.0.67, 6.0.68, 6.0.69, 6.0.70, 6.0.71, 6.0.72, 6.0.73, 6.0.74, 6.0.75, 6.0.76, 6.0.77, 6.0.78, 6.0.79, 6.0.80, 6.0.81, 6.0.82, 6.0.83, 6.0.84, 6.0.85, 6.0.86, 6.0.87, 6.0.88, 6.0.89, 6.0.90, 6.0.91, 6.0.92, 6.0.93, 6.0.94, 6.0.95, 6.0.96, 6.0.97, 6.0.98, 6.0.99, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.16, 6.2.17, 6.2.19, 6.2.20, 6.2.21
All unaffected versions: 6.2.22, 6.2.23, 6.2.25, 6.2.26, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5