Description
iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00013.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5323
Release Notes, Third Party Advisory
https://github.com/itext/itext7/releases/tag/7.1.17
Exploit, Third Party Advisory
https://pastebin.com/BXnkY9YY
Release Notes
https://github.com/itext/itextpdf/releases/tag/5.5.13.3
Scores
CVSS v3
9.8
EPSS
0.0517
EPSS Percentile
91.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (5)
com.itextpdf/itext7-core
0 - 7.1.17Maven
com.itextpdf/itextpdf
0 - 5.5.13.3Maven
debian/debian_linux
10.0
debian/debian_linux
11.0
itextpdf/itext
7.0.0 - 7.1.17
Published
Dec 15, 2021
Tracked Since
Feb 18, 2026