CVE-2021-34335

EUVD-2021-20996
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A floating point exception (FPE) due to an integer divide by zero was found in Exiv2 versions v0.27.4 and earlier. The FPE is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.7 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
GitHub_MCNA
4.7 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
exiv2exiv2
𝑥
≤ 0.27.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
exiv2
bookworm
0.27.6-1
fixed
bullseye
0.27.3-3+deb11u2
fixed
bullseye (security)
vulnerable
buster
not-affected
sid
0.28.3+dfsg-2
fixed
trixie
0.28.3+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
exiv2
bionic
not-affected
focal
Fixed 0.27.2-8ubuntu2.6
released
hirsute
Fixed 0.27.3-3ubuntu1.5
released
impish
Fixed 0.27.3-3ubuntu4
released
jammy
Fixed 0.27.3-3ubuntu4
released
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/Exiv2/exiv2/pull/1750
https://github.com/Exiv2/exiv2/security/advisories/GHSA-pvjp-m4f6-q984
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/
https://security.gentoo.org/glsa/202312-06
https://github.com/Exiv2/exiv2/pull/1750
https://github.com/Exiv2/exiv2/security/advisories/GHSA-pvjp-m4f6-q984
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/
https://security.gentoo.org/glsa/202312-06