CVE-2021-29623Use of Uninitialized Resource in Exiv2

CWE-908Use of Uninitialized Resource7 documents6 sources
Severity
3.3LOWNVD
OSV5.5
EPSS
0.3%
top 46.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Exiv2Debian Exiv2Fedoraproject Fedora+3 more
Timeline
PublishedMay 13
Latest updateMay 25

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to lea

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages8 packages

CVEListV5exiv2/exiv2< v0.27.4
NVDexiv2/exiv2< 0.27.4
debiandebian/exiv2< exiv2 0.27.5-1 (bookworm)
Debianexiv2/exiv2< 0.27.3-3+deb11u2+3
Ubuntuexiv2/exiv2< 0.25-3.1ubuntu0.18.04.9+2

Also affects: Fedora 33, 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
exiv2 vulnerabilities2021-05-25
OSV
CVE-2021-29623: Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata2021-05-13

📋Vendor Advisories

4
Ubuntu
Exiv2 vulnerabilities2021-05-25
Red Hat
exiv2: Use of uninitialized memory in isWebPType() may lead to information leak2021-05-13
Microsoft
Uninitialized variable bug in Exiv22021-05-11
Debian
CVE-2021-29623: exiv2 - Exiv2 is a C++ library and a command-line utility to read, write, delete and mod...2021