3

In our project pom.xml we use flying-saucer-pdf-itext5 version 9.1.22, which has a dependency on itextpdf version 5.5.12. Our pipeline fails due to OWASP step complaining about itextpdf related to this security issue: https://nvd.nist.gov/vuln/detail/CVE-2021-43113

however this issue mentions that

iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

which I guess is related to this dependency: itext7-core

We don't use this dependency directly and I also can't find it in dependencies of itextpdf.

I excluded the itextpdf 5.5.12 from flying-saucer-pdf-itext5 and added the newest version 5.5.13.2 but the issue still exists.

Any idea where I should look for this dependency and how to resolve this security issue?

Guillaume Husta
  • 4,049
  • 33
  • 40
MehdiB
  • 870
  • 12
  • 34
  • look at the expanded pom to see what else is pulling it in and add more exclusions or library upgrades... – jwenting Dec 20 '21 at 12:35
  • Facing the same issue. GhostscriptHelper.java is not part of iText5. It seems the CVE description is misleading or iText5 is not affected at all. – Armando Prieto Dec 23 '21 at 17:51
  • If you use the **Dependency-Check** plugin and you think it is a _false positive_ report, you can try to submit an issue at : https://github.com/jeremylong/DependencyCheck/issues/new/choose – Guillaume Husta Jan 03 '22 at 10:12
  • See also : https://github.com/jeremylong/DependencyCheck/issues/3762#issuecomment-1003739968 – Guillaume Husta Jan 03 '22 at 10:42
  • See also : https://github.com/LibrePDF/OpenPDF/issues/639 – Guillaume Husta Jan 03 '22 at 10:42
  • 1
    Are you using the compare tool of itext? If i read the issue correctly, it is about the itext compare tool (which IIRC is only used for tests when _building_ itext, not for _running_ itext functions). So if you don't use that compare tool, the CVE does not apply. – mkl Jan 03 '22 at 22:19
  • The fix from iText 7 will also be backported to iText 5 but no commitments on timelines yet. Most likely you are not using `CompareTool` if you are using `flying-saucer-pdf` so this alert is a false positive for you – Alexey Subach Jan 12 '22 at 22:44

0 Answers0