Miggo Logo
Miggo Vulnerability Database
CVE-2022-24198

CVE-2022-24198: Out-of-bounds Read in iText

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-24198
GHSA ID
GHSA-8c9h-4q7g-fp7h
EPSS Score
0.55827%
CWE
CWE-125
Published
2/2/2022
Updated
3/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.itextpdf:itext7-coremaven<= 7.1.177.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE description and GitHub advisory explicitly name ARCFOUREncryption.encryptARCFOUR as the vulnerable component. The linked bug report shows this function throws ArrayIndexOutOfBoundsException at line 93 when processing malicious input. While the vendor disputes exploitability, the technical evidence (exception type, location, and attack vector) aligns with CWE-125's out-of-bounds read pattern. No other functions from the bug report are explicitly tied to this specific CVE in the provided documentation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

iT*xt v*.*.** w*s *is*ov*r** to *ont*in *n out-o*-*oun*s *x**ption vi* t** *ompon*nt *R**OUR*n*ryption.*n*rypt*R**OUR, w*i** *llows *tt**k*rs to **us* * **ni*l o* S*rvi** (*oS) vi* * *r**t** P** *il*. NOT*: V*n*or *o*s not vi*w t*is *s * vuln*r**ilit

Reasoning

T** *V* **s*ription *n* *it*u* **visory *xpli*itly n*m* `*R**OUR*n*ryption.*n*rypt*R**OUR` *s t** vuln*r**l* *ompon*nt. T** link** *u* r*port s*ows t*is *un*tion `t*rows` `*rr*yIn**xOutO**oun*s*x**ption` *t lin* ** w**n pro**ssin* m*li*ious input. W*