CVE-2024-56522: TCPDF has incorrect comparison

December 27, 2024 (updated December 30, 2024)

An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

References

github.com/advisories/GHSA-w95c-7994-ghpr
github.com/tecnickcom/TCPDF
github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89
github.com/tecnickcom/TCPDF/compare/6.7.8...6.8.0
nvd.nist.gov/vuln/detail/CVE-2024-56522
tcpdf.org/
www.php.net/manual/en/types.comparisons.php

Detect and mitigate CVE-2024-56522 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →