Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

Project: Entity Print
Date: 2022-July-13
Security risk: Moderately critical 13∕25
Vulnerability: Multiple: Remote Code Execution, Information disclosure

Description

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

See the library release notes for more detail: https://github.com/dompdf/dompdf/releases/tag/v2.0.0

Note on 3rd party vulnerabilities

This security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is PSA-2019-09-04). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory.

Solution

Install the latest version (8.x-2.6) of this module and update dompdf/dompdf at the same time. It is recommended to use composer to do the update using commands similar to the following:

composer update drupal/entity_print
composer require dompdf/dompdf:~2