Wiz
Vulnerability DatabaseCVE-2022-24198

CVE-2022-24198
Java vulnerability analysis and mitigation

Overview

iText v7.1.17 was discovered to contain an out-of-bounds exception via the component ARCFOUREncryption.encryptARCFOUR, which allows attackers to cause a potential Denial of Service (DoS) via a crafted PDF file. The vulnerability was reported in February 2022 and is tracked as CVE-2022-24198 (NVD).

Technical details

The vulnerability manifests as an ArrayIndexOutOfBoundsException in the ARCFOUREncryption.encryptARCFOUR component. The issue was identified in multiple components including StandardHandlerUsingStandard128.computeOwnerKey, PdfXrefTable.clear, PdfXrefTable.get, and PdfXrefTable.initFreeReferencesList (GitHub PR).

Impact

While initially reported as a potential Denial of Service vulnerability, the vendor has disputed this classification. The vendor acknowledges that the code can trigger an ArrayIndexOutOfBoundsException but maintains that this does not constitute a security vulnerability as Java inherently protects against buffer overflow attacks (GitHub Comment).

Mitigation and workarounds

The vendor acknowledges that the library could handle invalid input better but disputes this as a security vulnerability. They have indicated openness to improvements in exception handling but have not issued a specific security patch as they do not consider this a security issue (GitHub Comment).

Community reactions

The security community appears divided on this issue. While it was initially assigned a CVE identifier, the vendor has disputed its classification as a security vulnerability. This has led to discussions about what constitutes a security vulnerability versus a programming error (GitHub PR).

Additional resources

SourceThis report was generated using AI

Related Java vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-55749HIGH8.7
  • JavaJava
  • org.xwiki.platform:xwiki-platform-tool-jetty-resources
NoYesDec 01, 2025
CVE-2025-64775HIGH7.5
  • JavaJava
  • javapackages-tools:201801::guice-servlet
NoYesDec 01, 2025
CVE-2025-13806MEDIUM6.9
  • JavaJava
  • org.nutz:nutzboot-parent
NoNoDec 01, 2025
CVE-2025-66453MEDIUM5.5
  • JavaJava
  • org.mozilla:rhino
NoYesDec 03, 2025
CVE-2025-13472MEDIUM5.3
  • JavaJava
  • com.blazemeter.plugins:blazemeterjenkinsplugin
NoYesDec 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo