cbcvebase.
CVE-2021-22204
published 2021-04-23

CVE-2021-22204: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

PriorityP188high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2021-12-01
Exploited in the wild
EPSS
99.98%
100.0th percentile
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianlibimage-exiftool-perl< libimage-exiftool-perl 12.16+dfsg-2 (bookworm)libimage-exiftool-perl 12.16+dfsg-2 (bookworm)
exiftoolexiftool
exiftool_projectexiftool>= 7.44 < 12.2412.24
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

path/var/www/dev01.artcorp.htb/metaview/uploads/
  • CVE-2021-22204 exploits ExifTool's DjVu file format parser (annotations field); malicious files are often disguised as JPEG images but contain embedded DjVu payloads — inspect uploaded image files for DjVu magic bytes or annotations content.
  • CVE-2021-22204 was exploited in the wild by Cerber ransomware actors against GitLab servers to upload and execute code remotely in the context of the 'git' account — alert on ExifTool process spawning shells or unexpected child processes under the 'git' user.
  • CVE-2021-22204 exploitation results in code execution as the web server user (e.g., www-data); monitor for reverse shell connections originating from ExifTool or image-processing parent processes.
  • The root cause of CVE-2021-22204 is weak regex-based sanitization before feeding user input into an eval sink in ExifTool — flag ExifTool versions 7.44 through the unpatched range processing DjVu files.
  • Affected ExifTool versions are 7.44 and up (prior to the patch); ensure all asset management platforms, photo organization apps, and bulk image processing scripts are running a patched version.
  • ·The public PoC exploit (convisolabs/CVE-2021-22204-exiftool) requires editing the attacker IP address in exploit.py before generating the malicious image — detections based solely on static file hashes of the PoC output will not generalise across attacker-customised payloads.
  • ·The vulnerability is triggered during file parsing, not upload — web applications that process images server-side with ExifTool (including embedded library usage) are vulnerable even if the upload endpoint performs extension or MIME-type validation.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.8HIGH
osv7.8HIGH
vulncheck6.8MEDIUM
cisa7.8HIGH
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.