Loose Comparison Vulnerability in TCPDF Affects Document Generation Security
CVE-2024-56522

Currently unrated

Key Information:

Vendor

Tecnick

Status
TcPDF
Vendor
CVE Published:
27 December 2024

What is CVE-2024-56522?

A vulnerability has been identified in TCPDF, affecting versions prior to 6.8.0. The issue arises from the unserializeTCPDFtag function, which employs loose comparison (using '!=') rather than a strict comparison method. This approach can lead to security weaknesses as it fails to utilize a constant-time function for comparing TCPDF tag hashes. The lack of a robust comparison technique may allow attackers to exploit this characteristic, thereby compromising the integrity of documents generated using TCPDF. Security updates in version 6.8.0 address this issue, reinforcing the need for users to upgrade and ensure their document generation practices remain secure.

Affected Version(s)

tcpdf 0 < 6.8.0

References

https://tcpdf.org
https://github.com/tecnickcom/TCPDF/compare/6.7.8...6.8.0
https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-56522 : Loose Comparison Vulnerability in TCPDF Affects Document Generation Security