Published: 15/12/2021 Updated: 24/03/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

Vulnerable Product	Search on Vulmon	Subscribe to Product
itextpdf itext
debian debian linux 10.0
debian debian linux 11.0

Debian Bug report logs - #1014597 libitext5-java: new version 55133 addresses CVE-2021-43113 Package: libitext5-java; Maintainer for libitext5-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for libitext5-java is src:libitext5-java (PTS, buildd, popcon) Reported by: Thomas Uhle <t ...

It was discovered that the CompareTool of iText, a Java PDF library which uses the external ghostscript software to compare PDFs at a pixel level, allowed command injection when parsing a specially crafted filename For the stable distribution (bullseye), this problem has been fixed in version 55132-1+deb11u1 We recommend that you upgrade your ...

CWE-77 https://pastebin.com/BXnkY9YY https://github.com/itext/itext7/releases/tag/7.1.17 https://lists.debian.org/debian-lts-announce/2023/01/msg00013.html https://www.debian.org/security/2023/dsa-5323 https://github.com/itext/itextpdf/releases/tag/5.5.13.3 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014597 https://nvd.nist.gov https://www.debian.org/security/2023/dsa-5323

CVE-2021-43113

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect