CVE-2017-6100 Tcpdf Project CVE debrief

Who should care

Application teams and operators that embed TCPDF for server-side PDF generation; developers maintaining PHP applications with TCPDF dependencies; security teams that manage outbound network controls and data-loss prevention for web servers.

Technical summary

The official NVD record maps CVE-2017-6100 to tcpdf versions through 6.1.1 and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High). The described behavior is that TCPDF before 6.2.0 uploads files from the server generating PDF files to an external FTP location, which creates a confidentiality exposure path. NVD also classifies the weakness as CWE-668.

Defensive priority

High. The issue is remotely reachable, requires no privileges or user interaction, and is rated for high confidentiality impact, so affected deployments should be patched quickly and monitored for unexpected outbound FTP activity.

Recommended defensive actions

• Upgrade TCPDF to 6.2.0 or later.
• Inventory applications and services that depend on TCPDF and confirm the deployed version is not 6.1.1 or earlier.
• Review PDF-generation code paths and configurations for any FTP or other outbound file-transfer behavior.
• Restrict or monitor outbound FTP egress from servers that generate PDFs.
• Check server logs and network telemetry for unexpected file-transfer activity from PDF-generation hosts.

Evidence notes

This debrief is based on the official CVE/NVD record and the linked references supplied in the corpus. The source description states that tcpdf before 6.2.0 uploads files from the server generating PDF files to an external FTP destination. NVD lists vulnerable CPE coverage through 6.1.1 and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N with CWE-668. Supporting references include the oss-security mailing list post, Debian bug 814030, and SourceForge bug 1005.

Official resources