CVE-2021-22204

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
References
Link Resource
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800 Patch Third Party Advisory
https://hackerone.com/reports/1154542 Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json Third Party Advisory
https://www.debian.org/security/2021/dsa-4910 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/ Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/09/1 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/10/5 Mailing List Third Party Advisory
http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html Third Party Advisory VDB Entry
https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html Mailing List Third Party Advisory
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html Exploit Third Party Advisory VDB Entry
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:exiftool_project:exiftool:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Information

Published : 2021-04-23 11:15

Updated : 2022-07-27 09:29


NVD link : CVE-2021-22204

Mitre link : CVE-2021-22204


JSON object : View

CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Advertisement

dedicated server usa

Products Affected

debian

  • debian_linux

exiftool_project

  • exiftool

fedoraproject

  • fedora