EM 10.7.0.358: CVE-2021-43113 iText
search cancel

EM 10.7.0.358: CVE-2021-43113 iText

book

Article ID: 232985

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

A brand new vulnerability has been published for iText: https://nvd.nist.gov/vuln/detail/CVE-2021-43113 (CVSS 9.8)

iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

I'm confident that we can mark this as false positive and no code changes are required since the CompareTool is not used. But still it would be good if Broadcom could assess and add to your KBA with the list of false positives.

Scanned version: 10.7.0.358

found in:

plugins/com.ca.apm.introscope.workstation.webapp_10.7.0.jar ! /WebContent/WEB-INF/lib/iText.jar

plugins/com.wily.ui.jasper.report_10.7.0.jar ! /lib/itext-1.3.1.jar

plugins/com.tomsawyer_9.0.0.jar ! /lib/client/thirdparty/iText.jar

 

Environment

Release : 10.7.0

Component : Introscope

Resolution

APM is not vulnerable to this CVE. APM is not using CompareTool class and also the filename is not provided as input from the user or any other service.