CVE-2024-56522 — Type Confusion in Tcpdf

CWE-843 — Type Confusion CWE-697 — Incorrect Comparison6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 70.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tecnick Tcpdf Tcpdf Project Tcpdf Tecnickcom Tcpdf

Timeline

PublishedDec 27

Description

An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5tecnick/tcpdf< 6.8.0

▶Packagisttecnickcom/tcpdf< 6.8.0

▶NVDtcpdf_project/tcpdf< 6.8.0

▶Debiantcpdf_project/tcpdf< 6.3.5+dfsg1-1+deb11u1+3

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

TCPDF has incorrect comparison↗2024-12-27

▶

CVEList

CVE-2024-56522: An issue was discovered in TCPDF before 6↗2024-12-27

▶

OSV

CVE-2024-56522: An issue was discovered in TCPDF before 6↗2024-12-27

▶

GHSA

TCPDF has incorrect comparison↗2024-12-27

▶

📋Vendor Advisories

Debian

CVE-2024-56522: tcpdf - An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka ...↗2024

▶