CVEs
iText dependencies:
2024
CVE-2024-29857 - This CVE report describes a vulnerability discovered in the Java and .NET BouncyCastle dependencies for iText 5.5.13.3. The version of iText 5, 5.5.13.4 addresses this issue.
2023
iText 5 targets Java 5 which means that we can not update org.apache.santuario:xmlsec version to 2.x.x or newer as it requires Java 8. If you are not using the com.itextpdf.text.pdf.security.MakeXmlSignature class then you can avoid adding org.apache.santuario:xmlsec dependency into your project. Which means that you would not be affected by the related vulnerabilities, for example https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-1655558 . If you are using com.itextpdf.text.pdf.security.MakeXmlSignature class, for example for XFA signatures, then you can:
either use
org.apache.santuario:xmlsec1.5.8 as a dependency which is affected by the vulnerability specified above, but works on Java 5+;or use
org.apache.santuario:xmlsec2.1.7 or newer. But this would require java 8+ and affects on the output format (see https://issues.apache.org/jira/browse/SANTUARIO-494 ).
CVE-2023-33201
It's safe for you to update your dependencies so that the bouncy castle transitive dependency is 1.74. For instance:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.74</version>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.74</version>
<optional>true</optional>
</dependency>2022
This CVE is not applicable to the product line iText 5.
This CVE is not applicable to the product line iText 5.