PT-2021-23745 · Itext+1 · Itext+1
Gabriele Zuddas
·
Published
2021-12-15
·
Updated
2026-02-25
·
CVE-2021-43113
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
iText versions prior to 7.1.17
Description
The issue allows command injection via a CompareTool filename that is mishandled on the
gs (aka Ghostscript) command line in GhostscriptHelper.java. This can occur when a malicious filename is provided to the CompareTool, potentially leading to the execution of arbitrary commands.Recommendations
For versions prior to 7.1.17, update to version 7.1.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the
GhostscriptHelper.java class or disabling the CompareTool functionality until a patch is applied. Avoid using potentially malicious filenames with the CompareTool to minimize the risk of exploitation.Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ghostscript
Itext