CVE-2021-37622

EUVD-2021-24180
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
GitHub_MCNA
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Affected Products (NVD)
VendorProductVersion
exiv2exiv2
𝑥
≤ 0.27.4
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
exiv2
bookworm
0.27.6-1
fixed
bullseye
0.27.3-3+deb11u2
fixed
bullseye (security)
vulnerable
sid
0.28.3+dfsg-2
fixed
stretch
no-dsa
trixie
0.28.3+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
exiv2
bionic
Fixed 0.25-3.1ubuntu0.18.04.11
released
focal
Fixed 0.27.2-8ubuntu2.6
released
hirsute
Fixed 0.27.3-3ubuntu1.5
released
impish
Fixed 0.27.3-3ubuntu4
released
jammy
Fixed 0.27.3-3ubuntu4
released
trusty
dne
xenial
Fixed 0.25-2.1ubuntu16.04.7+esm4
released
Common Weakness Enumeration
References
https://github.com/Exiv2/exiv2/pull/1788
https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv
https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/
https://security.gentoo.org/glsa/202312-06
https://github.com/Exiv2/exiv2/pull/1788
https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv
https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/
https://security.gentoo.org/glsa/202312-06