CVE-2021-43113
Description
iText 7 and up to 7.1.17 contains a command injection vulnerability via a CompareTool filename mishandled on the Ghostscript command line.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
iText 7 and up to 7.1.17 contains a command injection vulnerability via a CompareTool filename mishandled on the Ghostscript command line.
Vulnerability
A command injection vulnerability exists in iText 7 (and up to, but excluding, 7.1.17) within the GhostscriptHelper.java class. The CompareTool class fails to properly sanitize filenames passed to the Ghostscript command line, allowing an attacker to inject arbitrary parameters. Versions affected are 4.4.13.3 through 7.1.17 [1][3].
Exploitation
An attacker must be able to control the filename parameter passed to the CompareTool.compareVisually() method. The attack does not require authentication if the application exposes this method to untrusted input. By crafting a malicious filename containing shell metacharacters (e.g., a.pdf" -sstdout=hi.txt # ), the attacker can inject arbitrary Ghostscript command-line arguments [3]. The ITEXT_GS_EXEC environment variable must point to a valid Ghostscript executable for the command to be executed [3].
Impact
Successful exploitation allows the attacker to inject arbitrary parameters into the Ghostscript command line. This can lead to disabling security features (e.g., -dNOSAFER overriding -dSAFER) or redirecting output, potentially resulting in information disclosure or further system compromise depending on the Ghostscript version and capabilities [3]. The attacker achieves command injection within the context of the iText application.
Mitigation
The vulnerability is fixed in iText 7.1.17, released on November 14, 2021 [3][4]. Users should upgrade to version 7.1.17 or later. No workaround is publicly available for affected versions [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.itextpdf:itext7-coreMaven | < 7.1.17 | 7.1.17 |
com.itextpdf:itextpdfMaven | < 5.5.13.3 | 5.5.13.3 |
Affected products
3- iTextPDF/iTextdescription
- ghsa-coords2 versions
< 7.1.17+ 1 more
- (no CPE)range: < 7.1.17
- (no CPE)range: < 5.5.13.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-gv87-q66h-4277ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43113ghsaADVISORY
- www.debian.org/security/2023/dsa-5323ghsavendor-advisoryWEB
- github.com/itext/itext7/releases/tag/7.1.17ghsaWEB
- github.com/itext/itextpdf/releases/tag/5.5.13.3ghsaWEB
- lists.debian.org/debian-lts-announce/2023/01/msg00013.htmlghsamailing-listWEB
- pastebin.com/BXnkY9YYghsaWEB
News mentions
0No linked articles in our index yet.