iText 2.1.7 CVE-2017-9096


As I know, Jasper Reports use own fork verison iText 2.1.7-js. In the same time, I have no confirmation about closed vulnerabilities (CVE-2017-9096). js1-8 version not mentioned on iText stable tags.

I found a question where the same question linked with other vulnerability (CVE-2018-5382) - not the same.

Could you confirm, that CVE-2017-9096 vulenrability fixed in some fork versions or waiting for resolve in some future updates?



misha.filat's picture
Joined: Feb 24 2021 - 11:39pm
Last seen: 1 year 1 month ago

1 Answer:

In my recent maven library dependency build of  jasperreport 6.17.0, it is still depending on itext 2.1.7, which is a lower version and had reached End of Life.

May I know when will Jasperreports library be updated to use higher version of iText, i.e. itext 7.xx  or moving to another library for pdf generation?

Please do share the roadmap on this.

Thank you

osolariso's picture
Joined: Mar 23 2021 - 3:06am
Last seen: 1 year 10 months ago