CVE-2021-43113: Command injection in itext7-core
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83615%
CWE
Published
12/16/2021
Updated
3/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.itextpdf:itext7-core | maven | < 7.1.17 | 7.1.17 |
com.itextpdf:itextpdf | maven | < 5.5.13.3 | 5.5.13.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description and PoC explicitly reference command injection through Ghostscript command line handling in GhostscriptHelper.java
. The executeGhostScript
method would be responsible for building and executing the gs
command. The PoC demonstrates that user-controlled filenames passed through CompareTool
are incorporated into the command line without proper escaping, enabling parameter injection. The CWE-77 classification confirms this is a command injection scenario where user input isn't neutralized before being used in system commands.