CVE-2018-17057

Summary

CVE	CVE-2018-17057
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-09-14 20:29:00 UTC
Updated	2019-04-26 16:38:00 UTC
Description	An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

Risk And Classification

Problem Types: CWE-502

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Limesurvey	Limesurvey	All	All	All	All
Application	Limesurvey	Limesurvey	All	All	All	All
Application	Tecnick	Tcpdf	All	All	All	All
Application	Tecnick	Tcpdf	All	All	All	All

References

Reference	Source	Link	Tags
LimeSurvey Deserialization Remote Code Execution ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
Fix for security vulnerability: Using the phar:// wrapper it was poss… · tecnickcom/TCPDF@1861e33 · GitHub	MISC	github.com	Patch, Third Party Advisory
TCPDF 6.2.19 Deserialization / Remote Code Execution ≈ Packet Storm	MISC	packetstormsecurity.com	Third Party Advisory, VDB Entry
LimeSurvey < 3.16 - Remote Code Execution - PHP webapps Exploit	EXPLOIT-DB	www.exploit-db.com	Third Party Advisory, VDB Entry
[security] Fixed issue #14670 : update tcpdf to 6.2.25 · LimeSurvey/LimeSurvey@1cdd78d · GitHub	MISC	github.com	Patch, Third Party Advisory
Full Disclosure: CVE-2018-17057: phar deserialization in TCPDF might lead to RCE	FULLDISC	seclists.org	Mailing List, Third Party Advisory
Arbitrary code execution in TCPDF - Contao Open Source CMS	MISC	contao.org	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.