CPANSA-Image-ExifTool-2021-22204: Image-ExifTool vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2021-04-23T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2021-04-23T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 6.8 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
Vulnerabilities
CVE-2021-22204
Vulnerability DescriptionImproper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
| Weakness | CWE-94 : Improper Control of Generation of Code ('Code Injection') |
|---|
Product status
Known affected
| Product | Score | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Image-ExifTool greater than or equal 7.44 and less than or equal 12.23 |
|
Fixed
- Image-ExifTool greater than 12.23
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Image-ExifTool-2021-22204 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2021/cpansa-image-exiftool-2021-22204.json - http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html external
http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html - http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html external
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html - http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html external
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html - http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html external
http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html - http://www.openwall.com/lists/oss-security/2021/05/09/1 external
http://www.openwall.com/lists/oss-security/2021/05/09/1 - http://www.openwall.com/lists/oss-security/2021/05/10/5 external
http://www.openwall.com/lists/oss-security/2021/05/10/5 - https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800 external
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800 - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json external
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json - https://hackerone.com/reports/1154542 external
https://hackerone.com/reports/1154542 - https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html external
https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/ external
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/ - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/ external
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/ - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/ external
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/ - https://www.debian.org/security/2021/dsa-4910 external
https://www.debian.org/security/2021/dsa-4910 - CVE-2021-22204 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2021-22204
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Fri Apr 23 00:00:00 2021 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/