CVE-2021-22204 — MEDIUM (6.8)

Q: What is CVE-2021-22204?

CVE-2021-22204 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

Q: How severe is CVE-2021-22204?

CVE-2021-22204 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-22204?

Check the references section above for vendor advisories and patch information. Affected products include: Exiftool Project Exiftool, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Exiftool Project	Exiftool	>= 7.44, < 12.24
Debian	Debian Linux	9.0
Fedoraproject	Fedora	32

Related Weaknesses (CWE)

CWE-94

References

http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.htmExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifToExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-ExecutionExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-ExecutExploitThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2021/05/09/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/10/5Mailing ListThird Party Advisory
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25ddPatch
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.jsonThird Party Advisory
https://hackerone.com/reports/1154542ExploitIssue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00018.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproRelease Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproRelease Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproRelease Notes
https://www.debian.org/security/2021/dsa-4910Mailing ListThird Party Advisory
http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.htmExploitThird Party AdvisoryVDB Entry

FAQ

What is CVE-2021-22204?

CVE-2021-22204 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

How severe is CVE-2021-22204?

CVE-2021-22204 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-22204?

Check the references section above for vendor advisories and patch information. Affected products include: Exiftool Project Exiftool, Debian Debian Linux, Fedoraproject Fedora.