CVE-2024-56520 — tecnickcom/tc-lib-pdf-font mishandles fonts

Description

An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.

How to fix CVE-2024-56520

To remediate CVE-2024-56520, upgrade the affected package to a fixed version below.

Debian/tcpdf—upgrade to 6.3.5+dfsg1-1+deb11u1 or later
—upgrade to 2.6.4 or later

Is CVE-2024-56520 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.3.5+dfsg1-1+deb11u1
from 0, < 2.6.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-56520
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-56520
PATCHgithub.com/tecnickcom/tc-lib-pdf-font
WEBgithub.com/tecnickcom/tc-lib-pdf-font/commit/30012e333ae611c514ec2dc7cb370bbf4da4e677