Skip to main content
Skip table of contents

Statement regarding CVE 2022-24198 and 2023-6298

The CVE-2022-24198 and CVE-2023-6298 reports claim there is an improper validation of array index in the iText library leading to a vulnerability.

This is not something we agree with at this point, since it is unclear what kind of exploit we can get.

 We do confirm that the provided code samples trigger java.lang.ArrayIndexOutOfBoundsException in our Java library and System.IndexOutOfRangeException in C#. But the fact that our code throws an exception is not by itself a vulnerability, and no case supporting that this behavior may be exploited has been presented to us.

 Those vulnerability reports are linked to the weakness entries identified as CWE-129 and CWE-125.

These weaknesses entries describe the following possible exploits in C and C++ programming languages:

  • Denial of Service: Crash, Exit, or Restart;

  • Modify Memory;

  • Read Memory;

  • Execute Unauthorized Code or Commands;

  • Bypass Protection Mechanism.

However iText is a Java and a C# library. Java and C# programming languages safeguard against listed exploits in case of out-of-bounds access by providing memory abstractions. Nothing related to unauthorized code/memory manipulation vulnerabilities is applicable here.

 Both weakness records even point to using a language like Java or C# as a `Potential Mitigations` technique:

For example, ... languages such as Java and Ruby will allow the programmer to handle exceptions when an out-of-bounds index is accessed.

Use a language that provides appropriate memory abstractions.

 Additionally, throwing an exception on out-of-bounds array access does not lead to undefined behavior in those languages. The ArrayIndexOutOfBoundsException is a java.lang.RuntimeException, which can be captured and handled appropriately (this distinguishes it from java.lang.Error subclasses). The fact that the user of the library may not know that this exception can be thrown does not by itself mean that we have a vulnerability in the library, and that cannot be associated with a Denial of Service vulnerability in our opinion.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.