EM CVE-2021-43113 iText
search cancel

EM CVE-2021-43113 iText


Article ID: 232985


Updated On:


CA Application Performance Management (APM / Wily / Introscope)


A brand new vulnerability has been published for iText: https://nvd.nist.gov/vuln/detail/CVE-2021-43113 (CVSS 9.8)

iTextPDF in iText before 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

I'm confident that we can mark this as false positive and no code changes are required since the CompareTool is not used. But still it would be good if Broadcom could assess and add to your KBA with the list of false positives.

Scanned version:

found in:

plugins/com.ca.apm.introscope.workstation.webapp_10.7.0.jar ! /WebContent/WEB-INF/lib/iText.jar

plugins/com.wily.ui.jasper.report_10.7.0.jar ! /lib/itext-1.3.1.jar

plugins/com.tomsawyer_9.0.0.jar ! /lib/client/thirdparty/iText.jar



Release : 10.7.0

Component : Introscope


APM is not vulnerable to this CVE. APM is not using CompareTool class and also the filename is not provided as input from the user or any other service.