#VU102264 Improper certificate validation in TCPDF - CVE-2024-56521

Cybersecurity Help s.r.o.

Published: 2024-12-30

Vulnerability identifier: #VU102264

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56521

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TCPDF
Web applications / Other software

Vendor: Nicola Asuni

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper certificate validation when using CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER. A remote attacker can perform MitM attack and pass spoofed content into PDF file.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TCPDF: 6.0.0 - 6.7.8

External links
https://github.com/tecnickcom/TCPDF/commit/aab43ab0a824e956276141a28a24c7c0be20f554
https://github.com/advisories/GHSA-9mgx-552f-59p6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 41 update for php-tcpdf

Fedora 40 update for php-tcpdf

Multiple vulnerabilities in TCPDF