Blackduck scans have reported new vulnerabilities related to itext:
CVE-2022-24197 (BDSA-2021-4193): iText is vulnerable to a stack-based buffer overflow. An attacker could exploit this flaw by tricking a victim in to running a maliciously crafted file on the application leading to a denial-of-service (DoS) condition.
Scanned version is 10.7.0.361,
found in:
plugins/com.ca.apm.introscope.workstation.webapp_10.7.0.jar ! /WebContent/WEB-INF/lib/iText.jar
plugins/com.wily.ui.jasper.report_10.7.0.jar ! /lib/itext-1.3.1.jar
plugins/com.tomsawyer_9.0.0.jar ! /lib/client/thirdparty/iText.jar
Release : 10.7.0, 10.8
Component : Introscope
Vulnerability Description: iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
This security vulnerability is about the attacker supplied PDF. We do not use iText to read PDFs. Therefore, it is false positive.