[#13961] - iText has a critical new security vulnerability

Category:
General
Priority:
Normal
Status:
Feedback Requested
Project: Severity:
Minor
Resolution:
Open
Component: Reproducibility:
N/A
Assigned to:
0

Jasperreports still depends on com.lowagie.itext 2.1.7. As reported at https://nvd.nist.gov/vuln/detail/CVE-2021-43113:

Base Score: 9.8 CRITICAL

iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

Can you give further details on whether Jasperreports is affected or not?

If it is:
* are there any mitigations?
* is a patch scheduled?

v6.18.1
juri.berlanda's picture
Joined: Jan 10 2022 - 8:30am
Last seen: 1 week 6 days ago

2 Comments:

#1
  • Status:New» Feedback Requested
  • Assigned:nobody» teodord

Hi,

Since version 2.1.7, the iText library has been rewritten twice. Once for 5+ and then for 7+.
This CVE probably refers to iText 7+ library. You can see that the class "GhostscriptHelper", mentioned in the CVE does not even exist in iText 2+.

Thank you,
Teodor

#2

Hi Teodor,

thank you for the quick answer. That is good news.

Can you also confirm the affected functionality (i.e. executing GhostScript on command line) is not available in 2.1.7?

It may as well be, that 2.1.7 is so old (we are talking 12 years here), it was simply out of scope for CVE-2021-43113. The feature _may_ have been there all along and only during one of the rewrites it was moved to a dedicated helper class, right?

Cheers,

Juri

Feedback