cbcvebase.
CVE-2021-43113
published 2021-12-15

CVE-2021-43113: iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript)…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.17%
91.4th percentile
iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianlibitext5-java< libitext5-java 5.5.13.3-1 (bookworm)libitext5-java 5.5.13.3-1 (bookworm)
itextpdfitext>= 7.0.0 < 7.1.177.1.17

Detection & IOCsextracted from sources · hover to see the quote

filenameGhostscriptHelper.java
processgs
  • Monitor for command injection via crafted filenames passed to the gs (Ghostscript) process spawned by iText's CompareTool/GhostscriptHelper — look for unusual shell metacharacters or command separators in gs command-line arguments originating from iText processes.
  • Affected versions are iText 7 up to (excluding) 7.1.17 and iText 5 up to (excluding) 5.5.13.3; flag any deployment of these versions where CompareTool functionality is exposed to untrusted input.
  • Oracle rates this vulnerability 9.8 (CVSS) with remote exploit over HTTPS/HTTP in network-accessible deployments (e.g., Oracle Fusion Middleware Content Server, Oracle Construction and Engineering Reports); prioritize patching internet-facing products embedding iTextPDF.
  • ·The vulnerability is exploitable only when CompareTool is used and attacker-controlled filenames are passed to the gs (Ghostscript) command line; deployments that do not invoke CompareTool/GhostscriptHelper are not directly exposed.
  • ·Oracle's local-only CVSS 7.8 rating (no remote exploit) applies to Oracle Insurance Applications Enterprise Edition; the same CVE is rated 9.8 remotely exploitable in other Oracle products — detection scope and priority should be adjusted per deployment context.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.