CVE-2019-13111 — Integer Overflow or Wraparound in Exiv2

CWE-190 — Integer Overflow or Wraparound CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 71.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Fedoraproject Fedora Debian Exiv2

Timeline

PublishedJun 30

Latest updateMay 24

Description

A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (large heap allocation followed by a very long running loop) via a crafted WEBP image file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Alpineexiv2/exiv2< 0.27.2-r0

▶NVDexiv2/exiv20.27.1

▶debiandebian/exiv2

Also affects: Fedora 30

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-hmv7-h8ff-46mm: A WebPImage::decodeChunks integer overflow in Exiv2 through 0↗2022-05-24

▶

OSV

CVE-2019-13111: A WebPImage::decodeChunks integer overflow in Exiv2 through 0↗2019-06-30

▶

📋Vendor Advisories

Red Hat

exiv2: integer overflow in WebPImage::decodeChunks leads to denial of service↗2019-06-30

▶

Debian

CVE-2019-13111: exiv2 - A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an att...↗2019

▶

💬Community

Bugzilla

CVE-2019-13111 exiv2: integer overflow in WebPImage::decodeChunks leads to denial of service↗2019-07-10

▶

Bugzilla

CVE-2019-13111 exiv2: integer overflow in WebPImage::decodeChunks leads to denial of service [fedora-all]↗2019-07-10

▶