CVEs

2022

• CVE-2022-24198 - disputed (check the link for details)
• CVE-2022-24196 - addressed with 7.1.18 and 7.2.2
• CVE-2022-24197 - addressed with 7.1.18 and 7.2.2

2021

• CVE-2021-43113 - addressed with 7.1.17 and 5.5.13.3

iText dependencies:

2022

• CVE-2022-45688 - can be reported by OWASP Dependency Checker  for jackson-core-2.13.4.jar  however, we don't have a dependency on the vulnerable library (details)
• CVE-2022-45146 - FIPS-compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11 (and this module is only used for FIPS compliance)