CVE-2020-13112 — Out-of-bounds Read in External Libexif

CWE-125 — Out-of-bounds Read CWE-122 — Heap-based Buffer Overflow CWE-190 — Integer Overflow or Wraparound14 documents10 sources

Severity

9.1CRITICALNVD

CNA5.0OSV5.0

EPSS

1.0%

top 23.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform External Libexif Libexif Project Libexif Canonical Ubuntu Linux +2 more

Timeline

PublishedMay 21

Latest updateAug 8

Description

An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages5 packages

▶NVDlibexif_project/libexif< 0.6.22

▶Androidplatform/external_libexif10:0 — 10:2022-02-01+1

▶Debianlibexif_project/libexif< 0.6.21-9+3

▶Ubuntulibexif_project/libexif< 0.6.21-2ubuntu0.5+3

▶NVDopensuse/leap15.1

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.10, 20.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4pxw-3px9-5fg9: An issue was discovered in libexif before 0↗2022-05-24

▶

OSV

CVE-2020-13112: In exif_entry_get_value of exif-entry↗2022-02-01

▶

OSV

libexif vulnerabilities↗2020-06-16

▶

CVEList

CVE-2020-13112: An issue was discovered in libexif before 0↗2020-05-21

▶

OSV

CVE-2020-13112: An issue was discovered in libexif before 0↗2020-05-21

▶

📋Vendor Advisories

Android

CVE-2020-13112: Android Security Bulletin 2022-02-01 CVE: CVE-2020-13112 Severity: HIGH Type: EoP Affected AOSP versions: 10, 11 References: A-194342672*↗2022-02-01

▶

Ubuntu

libexif vulnerabilities↗2020-06-16

▶

Red Hat

libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS↗2020-05-16

▶

Debian

CVE-2020-13112: libexif - An issue was discovered in libexif before 0.6.22. Several buffer over-reads in E...↗2020

▶

🕵️Threat Intelligence

Qualys

A Deep Dive into VMDR 2.0 with Qualys TruRisk™↗2022-08-08

▶

Qualys

A Deep Dive into VMDR 2.0 with Qualys TruRisk™ | Qualys↗2022-08-08

▶

💬Community

Bugzilla

CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS↗2020-05-26

▶

Bugzilla

CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS [fedora-all]↗2020-05-26

▶