CVE-2021-43113 — Command Injection in Itext

CWE-77 — Command Injection11 documents7 sources

Severity

9.8CRITICALNVD

EPSS

3.5%

top 12.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Itextpdf Itext Debian Libitext5-java Debian Linux

Timeline

PublishedDec 15

Latest updateJan 15

Description

iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDitextpdf/itext7.0.0 — 7.1.17

▶debiandebian/libitext5-java< libitext5-java 5.5.13.3-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

GHSA

Command injection in itext7-core↗2021-12-16

▶

OSV

Command injection in itext7-core↗2021-12-16

▶

OSV

CVE-2021-43113: iTextPDF in iText 7 and up to (excluding 4↗2021-12-15

▶

📋Vendor Advisories

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Reports (iTextPDF) — CVE-2021-43113↗2026-01-15

▶

Oracle

Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (iTextPDF) — CVE-2021-43113↗2024-04-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Content Server (iTextPDF) — CVE-2021-43113↗2023-07-15

▶

Debian

CVE-2021-43113: libitext5-java - iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injecti...↗2021

▶

🕵️Threat Intelligence

Qualys

Oracle Patch Tuesday, July 2023 Security Update Review↗2023-07-19

▶

Qualys

Oracle Patch Tuesday, July 2023 Security Update Review | Qualys↗2023-07-19

▶

📄Research Papers

arXiv

Cross-ecosystem categorization: A manual-curation protocol for the categorization of Java Maven libraries along Python PyPI Topics↗2024-03-10

▶