No Change Required
net.sf.jasperreports:jasperreports:6.18.1 depends on com.lowagie:itext:2.1.7.js9, which has two known vulnerabilities (CVE-2017-9096 and CVE-2021-43113).
Could jasperreports please update it's itext dependency to a newer version of itext that those of us depending on jasperreeports won't be pulling in a version of itext known to have vulnerabilities?
I already reported CVE-2021-43113 in https://community.jaspersoft.com/jasperreports-library/issues/13961 They claim it is a non-issue.
I assume you are aware that since version 5+ there was a change of license for iText, which prevents people from using it for free in commercial applications. Furthermore, the package names have been changed so iText 2.1.7 and iText 5 and iText 7 are all totally different dependencies.
They cannot simply be replaced with one another.
Because of the license change in iText, we have created separate project which acts like a plugin to JasperReports and can be used by those who want latest iText:
But again, be aware of license.