Skip to main content
Skip table of contents

CVEs

Legacy notice!

iText 5 is the previous major version of iText’s leading PDF SDK. iText 5 is EOL, and is no longer developed, although we still provide support and security fixes. Switch your project to iText 8, our latest version which supports the latest PDF standards and technologies.
Check related iText 8 content!

iText dependencies:

2023

The iText 5 targets Java 5 which means that we can not update org.apache.santuario:xmlsec version to 2.x.x or newer as it requires Java 8. If you are not using the com.itextpdf.text.pdf.security.MakeXmlSignature class then you can avoid adding org.apache.santuario:xmlsec dependency into your project. Which means that you would not be affected by the related vulnerabilities, for example https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-1655558 . If you are using com.itextpdf.text.pdf.security.MakeXmlSignature class, for example for XFA signatures, then you can:

  • either use org.apache.santuario:xmlsec 1.5.8 as a dependency which is affected by the vulnerability specified above, but works on Java 5+;

  • CVE-2023-33201

It's safe for you to update your dependencies so that the bouncy castle transitive dependency is 1.74. For instance:

CODE
    <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcpkix-jdk15on</artifactId>
      <version>1.74</version>
      <optional>true</optional>
    </dependency>
    <dependency>
      <groupId>org.bouncycastle</groupId>
      <artifactId>bcprov-jdk15on</artifactId>
      <version>1.74</version>
      <optional>true</optional>
    </dependency>

2022

This CVE is not applicable to the product line iText 5, but to the product line iText 7 (a rewrite). We're trying to fix this CVE.

This CVE is not applicable to the product line iText 5, but to the product line iText 7 (a rewrite). We're trying to fix this CVE.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.