Vulnerability Description
iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Itextpdf | Itext | >= 7.0.0, < 7.1.17 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/itext/itext7/releases/tag/7.1.17Release NotesThird Party Advisory
- https://github.com/itext/itextpdf/releases/tag/5.5.13.3
- https://lists.debian.org/debian-lts-announce/2023/01/msg00013.htmlMailing ListThird Party Advisory
- https://pastebin.com/BXnkY9YYExploitThird Party Advisory
- https://www.debian.org/security/2023/dsa-5323Third Party Advisory
- https://github.com/itext/itext7/releases/tag/7.1.17Release NotesThird Party Advisory
- https://github.com/itext/itextpdf/releases/tag/5.5.13.3
- https://lists.debian.org/debian-lts-announce/2023/01/msg00013.htmlMailing ListThird Party Advisory
- https://pastebin.com/BXnkY9YYExploitThird Party Advisory
- https://www.debian.org/security/2023/dsa-5323Third Party Advisory
FAQ
What is CVE-2021-43113?
CVE-2021-43113 is a vulnerability with a CVSS score of 9.8 (CRITICAL). iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
How severe is CVE-2021-43113?
CVE-2021-43113 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-43113?
Check the references section above for vendor advisories and patch information. Affected products include: Itextpdf Itext, Debian Debian Linux.