CVE-2021-22204

Name
CVE-2021-22204
Description
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
MISC https://hackerone.com/reports/1154542
CONFIRM https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json
Third Party Advisory https://www.debian.org/security/2021/dsa-4910
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/
MLIST http://www.openwall.com/lists/oss-security/2021/05/09/1
MLIST http://www.openwall.com/lists/oss-security/2021/05/10/5
MISC http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html
MLIST https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html
MISC http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html
Exploit http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
MISC http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/
134c704f-9b21-4f2e-91b3-4a467353bcc0 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22204

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:exiftool_project:exiftool:*:*:*:*:*:*:*:* exiftool >= 7.44 < 12.24

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
perl-image-exiftool edge-community 12.24-r0 None fixed
perl-image-exiftool 3.22-community 12.24-r0 None fixed
perl-image-exiftool 3.21-community 12.24-r0 None fixed
perl-image-exiftool 3.20-community 12.24-r0 None fixed
perl-image-exiftool 3.19-community 12.24-r0 None fixed
perl-image-exiftool 3.18-community 12.24-r0 None fixed
perl-image-exiftool 3.17-community 12.24-r0 None fixed