Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes tecnickcom/tcpdf security CVEs #16013

Merged
merged 1 commit into from
Dec 30, 2024
Merged

Fixes tecnickcom/tcpdf security CVEs #16013

merged 1 commit into from
Dec 30, 2024

Conversation

joelpittet
Copy link
Contributor

Fixes the following CVE-2024-56522, CVE-2024-56527, CVE-2024-56519, CVE-2024-56521

❯ composer audit
Found 4 security vulnerability advisories affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | tecnickcom/tcpdf                                                                 |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-56522                                                                   |
| Title             | TCPDF has incorrect comparison                                                   |
| URL               | https://github.com/advisories/GHSA-w95c-7994-ghpr                                |
| Affected versions | <6.8.0                                                                           |
| Reported at       | 2024-12-27T06:30:48+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | tecnickcom/tcpdf                                                                 |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-56527                                                                   |
| Title             | TCPDF missing character escape on error messages                                 |
| URL               | https://github.com/advisories/GHSA-qx95-cwh6-9mvq                                |
| Affected versions | <6.8.0                                                                           |
| Reported at       | 2024-12-27T06:30:48+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | tecnickcom/tcpdf                                                                 |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-56519                                                                   |
| Title             | TCPDF lacks SVG sanitization                                                     |
| URL               | https://github.com/advisories/GHSA-4p8j-vhjm-6pvw                                |
| Affected versions | <6.8.0                                                                           |
| Reported at       | 2024-12-27T06:30:47+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | tecnickcom/tcpdf                                                                 |
| Severity          | high                                                                             |
| CVE               | CVE-2024-56521                                                                   |
| Title             | TCPDF missing certificate validation                                             |
| URL               | https://github.com/advisories/GHSA-9mgx-552f-59p6                                |
| Affected versions | <6.8.0                                                                           |
| Reported at       | 2024-12-27T06:30:47+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Minor semver updated

❯ composer update tecnickcom/tcpdf
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 0 removals
  - Upgrading tecnickcom/tcpdf (6.7.7 => 6.8.0)

@joelpittet joelpittet requested a review from snipe as a code owner December 30, 2024 22:01
@probot-autolabeler probot-autolabeler bot added backend dependencies Pull requests that update a dependency file labels Dec 30, 2024
@snipe
Copy link
Owner

snipe commented Dec 30, 2024

Damn you’re fast! I just got the snyk a few hours ago. Thanks!

@snipe snipe merged commit c7ca4d0 into snipe:develop Dec 30, 2024
9 checks passed
@joelpittet
Copy link
Contributor Author

@snipe Oh I can leave it to snyk if that works better for your workflow?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snipe snipe Awaiting requested review from snipe snipe is a code owner

Assignees
No one assigned
Labels
backend dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joelpittet @snipe