CVE-2021-43113
published 2021-12-15CVE-2021-43113: iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript)…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.17%
91.4th percentile
iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libitext5-java | < libitext5-java 5.5.13.3-1 (bookworm) | libitext5-java 5.5.13.3-1 (bookworm) |
| itextpdf | itext | >= 7.0.0 < 7.1.17 | 7.1.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for command injection via crafted filenames passed to the gs (Ghostscript) process spawned by iText's CompareTool/GhostscriptHelper — look for unusual shell metacharacters or command separators in gs command-line arguments originating from iText processes. ↗
- →Affected versions are iText 7 up to (excluding) 7.1.17 and iText 5 up to (excluding) 5.5.13.3; flag any deployment of these versions where CompareTool functionality is exposed to untrusted input. ↗
- →Oracle rates this vulnerability 9.8 (CVSS) with remote exploit over HTTPS/HTTP in network-accessible deployments (e.g., Oracle Fusion Middleware Content Server, Oracle Construction and Engineering Reports); prioritize patching internet-facing products embedding iTextPDF. ↗
- ·The vulnerability is exploitable only when CompareTool is used and attacker-controlled filenames are passed to the gs (Ghostscript) command line; deployments that do not invoke CompareTool/GhostscriptHelper are not directly exposed. ↗
- ·Oracle's local-only CVSS 7.8 rating (no remote exploit) applies to Oracle Insurance Applications Enterprise Edition; the same CVE is rated 9.8 remotely exploitable in other Oracle products — detection scope and priority should be adjusted per deployment context. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Reports (iTextPDF) — CVE-2021-43113
vendor_oracle·2026-01-15·CVSS 9.8
CVE-2021-43113 [CRITICAL] Oracle Oracle Construction and Engineering Risk Matrix: Reports (iTextPDF) — CVE-2021-43113
Oracle Oracle Construction and Engineering Risk Matrix: Reports (iTextPDF) vulnerability
CVE: CVE-2021-43113
CVSS: 9.8
Protocol: HTTPS
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Oracle
Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (iTextPDF) — CVE-2021-43113
vendor_oracle·2024-04-15·CVSS 7.8
CVE-2021-43113 [CRITICAL] Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (iTextPDF) — CVE-2021-43113
Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (iTextPDF) vulnerability
CVE: CVE-2021-43113
CVSS: 7.8
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuapr2024 (APR 2024)
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Content Server (iTextPDF) — CVE-2021-43113
vendor_oracle·2023-07-15·CVSS 9.8
CVE-2021-43113 [CRITICAL] Oracle Oracle Fusion Middleware Risk Matrix: Content Server (iTextPDF) — CVE-2021-43113
Oracle Oracle Fusion Middleware Risk Matrix: Content Server (iTextPDF) vulnerability
CVE: CVE-2021-43113
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
Debian
CVE-2021-43113: libitext5-java - iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injecti...
vendor_debian·2021·CVSS 9.8
CVE-2021-43113 [CRITICAL] CVE-2021-43113: libitext5-java - iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injecti...
iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
Scope: local
bookworm: resolved (fixed in 5.5.13.3-1)
bullseye: resolved (fixed in 5.5.13.2-1+deb11u1)
forky: resolved (fixed in 5.5.13.3-1)
sid: resolved (fixed in 5.5.13.3-1)
trixie: resolved (fixed in 5.5.13.3-1)
GHSA
Command injection in itext7-core
ghsa·2021-12-16
CVE-2021-43113 [CRITICAL] CWE-77 Command injection in itext7-core
Command injection in itext7-core
iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
OSV
Command injection in itext7-core
osv·2021-12-16
CVE-2021-43113 [CRITICAL] Command injection in itext7-core
Command injection in itext7-core
iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
OSV
CVE-2021-43113: iTextPDF in iText 7 and up to (excluding 4
osv·2021-12-15·CVSS 9.8
CVE-2021-43113 [CRITICAL] CVE-2021-43113: iTextPDF in iText 7 and up to (excluding 4
iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
No detection rules found.
No public exploits indexed.
arXiv
Cross-ecosystem categorization: A manual-curation protocol for the categorization of Java Maven libraries along Python PyPI Topics
arxiv_fulltext·2024-03-10
Cross-ecosystem categorization: A manual-curation protocol for the categorization of Java Maven libraries along Python PyPI Topics
:
[1]Ranindya Paramitha\,0000-0002-6682-4243\,cor1
[email protected]
[1]Yuan Feng\,0000-0001-5401-8597\,
[email protected]
[1,2]Fabio Massacci\,0000-0002-1091-8486\,
[email protected]
[1]Carlos E.\ Budde\,0000-0001-8807-1548\,cor1
[email protected]
[1]
University of Trento,
Trento,
I-38122,
Italy.
[2]
Vrije Universiteit Amsterdam,
Amsterdam,
1081\;HV,
The Netherlands.
[tn1]This work was funded by the EU under GAs
101067199 (Pro\-SVED),
101120393 (Sec4AI4Sec), and
952647 (H2020-AssureMOSS).
[cor1]Corresponding authors.
## Abstract
Context:
Software of different functional categories, such as text processing vs.\ networking, has different profiles in terms of metrics like security and updates.
Using popularity to compare e.g.\ Java vs.\ Python libraries might g
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed, with
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followe
https://github.com/itext/itext7/releases/tag/7.1.17https://github.com/itext/itextpdf/releases/tag/5.5.13.3https://lists.debian.org/debian-lts-announce/2023/01/msg00013.htmlhttps://pastebin.com/BXnkY9YYhttps://www.debian.org/security/2023/dsa-5323https://github.com/itext/itext7/releases/tag/7.1.17https://github.com/itext/itextpdf/releases/tag/5.5.13.3https://lists.debian.org/debian-lts-announce/2023/01/msg00013.htmlhttps://pastebin.com/BXnkY9YYhttps://www.debian.org/security/2023/dsa-5323
2021-12-15
Published