Blackduck scans have reported new vulnerabilities related to itext:

CVE-2022-24197 (BDSA-2021-4193): iText is vulnerable to a stack-based buffer overflow. An attacker could exploit this flaw by tricking a victim in to running a maliciously crafted file on the application leading to a denial-of-service (DoS) condition.

Scanned version is 10.7.0.361,

found in:

plugins/com.ca.apm.introscope.workstation.webapp_10.7.0.jar ! /WebContent/WEB-INF/lib/iText.jar

plugins/com.wily.ui.jasper.report_10.7.0.jar ! /lib/itext-1.3.1.jar

plugins/com.tomsawyer_9.0.0.jar ! /lib/client/thirdparty/iText.jar

Release : 10.7.0, 10.8

Component : Introscope

Vulnerability Description: iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

This security vulnerability is about the attacker supplied PDF. We do not use iText to read PDFs.  Therefore, it is false positive.