Vulnerability Description
kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can cause an infinite loop when a crafted PNG file is given. This is fixed in version 0.5.3. No workaround is available. Applications that do not pass files with the PNG signature to Reader::read_from_container are not affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kamadak-Exif Project | Kamadak-Exif | 0.5.2 |
Related Weaknesses (CWE)
References
- https://crates.io/crates/kamadak-exifProductThird Party Advisory
- https://github.com/kamadak/exif-rs/commit/f21df24616ea611c5d5d0e0e2f8042eb74d5ffPatchThird Party Advisory
- https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2Third Party Advisory
- https://crates.io/crates/kamadak-exifProductThird Party Advisory
- https://github.com/kamadak/exif-rs/commit/f21df24616ea611c5d5d0e0e2f8042eb74d5ffPatchThird Party Advisory
- https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2Third Party Advisory
FAQ
What is CVE-2021-21235?
CVE-2021-21235 is a vulnerability with a CVSS score of 5.7 (MEDIUM). kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can cause...
How severe is CVE-2021-21235?
CVE-2021-21235 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21235?
Check the references section above for vendor advisories and patch information. Affected products include: Kamadak-Exif Project Kamadak-Exif.