CVE-2021-28275 — Incorrect Type Conversion or Cast in Jhead

CWE-704 — Incorrect Type Conversion or Cast CWE-77 — Command Injection6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 73.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jhead Project Jhead Debian Jhead

Timeline

PublishedMar 23

Latest updateMay 29

Description

A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild address read in the Get16u function in exif.c in will cause segmentation fault via a crafted_file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/jhead< jhead 1:3.06.0.1-2 (bookworm)

▶Debianjhead_project/jhead< 1:3.06.0.1-2+2

▶Ubuntujhead_project/jhead< 1:2.97-1+deb8u2ubuntu0.1~esm3+4

▶NVDjhead_project/jhead3.04, 3.05+1

🔴Vulnerability Details

OSV

Jhead vulnerabilities↗2023-05-29

▶

GHSA

GHSA-67w2-vvm4-fjr9: A Denial of Service vulnerability exists in jhead 3↗2022-03-24

▶

OSV

CVE-2021-28275: A Denial of Service vulnerability exists in jhead 3↗2022-03-23

▶

📋Vendor Advisories

Ubuntu

Jhead vulnerabilities↗2023-05-29

▶

Debian

CVE-2021-28275: jhead - A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild ad...↗2021

▶