CVE-2020-13114 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
libexif_project	libexif	𝑥 < 0.6.22
canonical	ubuntu_linux	12.04
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	19.10
canonical	ubuntu_linux	20.04
opensuse	leap	15.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libexif

bookworm	0.6.24-1 fixed
bullseye	0.6.22-3 fixed
sid	0.6.24-1 fixed
trixie	0.6.24-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libexif

bionic	Fixed 0.6.21-4ubuntu0.5 released
eoan	Fixed 0.6.21-5.1ubuntu0.5 released
focal	Fixed 0.6.21-6ubuntu0.3 released
trusty	Fixed 0.6.21-1ubuntu1+esm5 released
xenial	Fixed 0.6.21-2ubuntu0.5 released

openSUSE / SLES Releases

openSUSE Product

Release

libexif-devel

suse enterprise desktop 15 SP1	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP2	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP3	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP4	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP5	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP6	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP7	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP1	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP2	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP3	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP4	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP5	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP6	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP7	0.6.22-5.6.1 fixed
suse enterprise server 15 SP1	0.6.22-5.6.1 fixed
suse enterprise server 15 SP2	0.6.22-5.6.1 fixed
suse enterprise server 15 SP3	0.6.22-5.6.1 fixed
suse enterprise server 15 SP4	0.6.22-5.6.1 fixed
suse enterprise server 15 SP5	0.6.22-5.6.1 fixed
suse enterprise server 15 SP6	0.6.22-5.6.1 fixed
suse enterprise server 15 SP7	0.6.22-5.6.1 fixed

libexif12

suse enterprise desktop 15 SP1	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP2	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP3	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP4	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP5	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP6	0.6.22-5.6.1 fixed
suse enterprise desktop 15 SP7	0.6.22-5.6.1 fixed
suse enterprise sap 12 SP1	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP2	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP3	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP4	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP5	0.6.22-8.9.1 fixed
suse enterprise sap 15 SP1	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP2	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP3	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP4	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP5	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP6	0.6.22-5.6.1 fixed
suse enterprise sap 15 SP7	0.6.22-5.6.1 fixed
suse enterprise server 12 SP1	0.6.22-8.9.1 fixed
suse enterprise server 12 SP2	0.6.22-8.9.1 fixed
suse enterprise server 12 SP3	0.6.22-8.9.1 fixed
suse enterprise server 12 SP4	0.6.22-8.9.1 fixed
suse enterprise server 12 SP5	0.6.22-8.9.1 fixed
suse enterprise server 15 SP1	0.6.22-5.6.1 fixed
suse enterprise server 15 SP2	0.6.22-5.6.1 fixed
suse enterprise server 15 SP3	0.6.22-5.6.1 fixed
suse enterprise server 15 SP4	0.6.22-5.6.1 fixed
suse enterprise server 15 SP5	0.6.22-5.6.1 fixed
suse enterprise server 15 SP6	0.6.22-5.6.1 fixed
suse enterprise server 15 SP7	0.6.22-5.6.1 fixed

libexif12-32bit

suse enterprise sap 12 SP1	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP2	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP3	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP4	0.6.22-8.9.1 fixed
suse enterprise sap 12 SP5	0.6.22-8.9.1 fixed
suse enterprise server 12 SP1	0.6.22-8.9.1 fixed
suse enterprise server 12 SP2	0.6.22-8.9.1 fixed
suse enterprise server 12 SP3	0.6.22-8.9.1 fixed
suse enterprise server 12 SP4	0.6.22-8.9.1 fixed
suse enterprise server 12 SP5	0.6.22-8.9.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

libexif

RHEL 7	0:0.6.22-1.el7 fixed
RHEL 8	0:0.6.22-4.el8 fixed

libexif-devel

RHEL 7	0:0.6.22-1.el7 fixed
RHEL 8	0:0.6.22-4.el8 fixed

libexif-doc

RHEL 7

0:0.6.22-1.el7

fixed

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html

https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab

https://lists.debian.org/debian-lts-announce/2020/05/msg00025.html

https://security.gentoo.org/glsa/202007-05

https://usn.ubuntu.com/4396-1/

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html

https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab

https://lists.debian.org/debian-lts-announce/2020/05/msg00025.html

https://security.gentoo.org/glsa/202007-05

https://usn.ubuntu.com/4396-1/