⚠ Actively exploited

Added to CISA KEV on 2021-11-17. Federal agencies required to patch by 2021-12-01. Required action: Apply updates per vendor instructions..

CVE-2021-22204 — Code Injection in Project Exiftool

CWE-94 — Code Injection CWE-625 — Permissive Regular Expression CWE-74 — Injection CWE-95 — Eval Injection25 documents16 sources

Severity

7.8HIGHNVD

VulnCheck6.8

EPSS

92.9%

top 0.23%

CISA KEV

KEV

Added 2021-11-17

Due 2021-12-01

Exploit

Exploited in wild

Active exploitation observed

Affected products

Exiftool Project Exiftool Debian Libimage-exiftool-perl Exiftool +2 more

Timeline

PublishedApr 23

KEV addedNov 17

KEV dueDec 1

Latest updateFeb 14

CISA Required Action: Apply updates per vendor instructions.

Description

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/libimage-exiftool-perl< libimage-exiftool-perl 12.16+dfsg-2 (bookworm)

▶NVDexiftool_project/exiftool7.44 — 12.24

▶CVEListV5exiftool/exiftool>=7.44, <12.24

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33, 34

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

ExifTool vulnerable to arbitrary code execution↗2023-01-20

▶

OSV

ExifTool vulnerable to arbitrary code execution↗2023-01-20

▶

GHSA

GHSA-9377-7hwr-p4w6: Improper neutralization of user data in the DjVu file format in ExifTool versions 7↗2022-05-24

▶

GHSA

Arbitrary code execution in ExifTool↗2021-05-04

▶

OSV

Arbitrary code execution in ExifTool↗2021-05-04

▶

💥Exploits & PoCs

Exploit-DB

ExifTool 12.23 - Arbitrary Code Execution↗2022-05-11

▶

Exploit-DB

GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)↗2021-11-17

▶

Metasploit

GitLab Unauthenticated Remote ExifTool Command Injection↗

▶

🔍Detection Rules

Suricata

ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)↗2023-02-14

▶

📋Vendor Advisories

Ubuntu

ExifTool vulnerability↗2022-02-08

▶

CISA

ExifTool Remote Code Execution Vulnerability↗2021-11-17

▶

Ubuntu

ExifTool vulnerability↗2021-06-10

▶

Debian

CVE-2021-22204: libimage-exiftool-perl - Improper neutralization of user data in the DjVu file format in ExifTool version...↗2021

▶

🕵️Threat Intelligence

Talos

Quarterly Report: Incident Response trends in Q1 2022↗2022-04-26

▶

Talos

Quarterly Report: Incident Response trends in Q1 2022↗2022-04-26

▶

Qualys

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys↗2022-02-23

▶

📐Framework References

CWE

Permissive Regular Expression↗

▶

CWE

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')↗

▶

CWE

Improper Control of Generation of Code ('Code Injection')↗

▶

📄Research Papers

arXiv

TaxIdMA: Towards a Taxonomy for Attacks related to Identities↗2023-01-01

▶

CTF

Meta / README↗

▶

CTF

Overflow / README↗

▶