CVE-2019-20421Infinite Loop in Exiv2

CWE-835Infinite LoopCWE-400Uncontrolled Resource Consumption9 documents8 sources
Severity
7.5HIGHNVD
EPSS
3.1%
top 13.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Exiv2Debian Exiv2Canonical Ubuntu Linux+4 more
Timeline
PublishedJan 27
Latest updateMay 24

Description

In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

debiandebian/exiv2< exiv2 0.27.2-8 (bookworm)
Debianexiv2/exiv2< 0.27.2-8+3
NVDexiv2/exiv20.27.2

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 16.04, 18.04, 19.10

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-p4gw-2vrq-j64q: In Jp2Image::readMetadata() in jp2image2022-05-24
OSV
CVE-2019-20421: In Jp2Image::readMetadata() in jp2image2020-01-27

📋Vendor Advisories

4
Ubuntu
Exiv2 vulnerability2020-02-05
Microsoft
In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2 an input file can result in an infinite loop and hang with high CPU consumption. Remote attackers could leverage this vulnerability to cause2020-01-14
Red Hat
exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS2019-09-30
Debian
CVE-2019-20421: exiv2 - In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can r...2019

💬Community

2
Bugzilla
CVE-2019-20421 exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS2020-02-07
Bugzilla
CVE-2019-20421 exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS [fedora-all]2020-02-07