CVE-2021-32617Uncontrolled Resource Consumption in Exiv2

CWE-400Uncontrolled Resource ConsumptionCWE-407Inefficient Algorithmic Complexity8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 77.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Exiv2Debian Exiv2Fedoraproject Fedora+3 more
Timeline
PublishedMay 17
Latest updateMay 25

Description

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An inefficient algorithm (quadratic complexity) was found in Exiv2 versions v0.27.3 and earlier. The inefficient algorithm is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed i

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

NVDexiv2/exiv2< 0.27.4
debiandebian/exiv2< exiv2 0.27.5-1 (bookworm)
Debianexiv2/exiv2< 0.27.5-1+2
Ubuntuexiv2/exiv2< 0.25-3.1ubuntu0.18.04.9+2
CVEListV5exiv2/exiv20.27.3

Also affects: Fedora 33, 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
exiv2 vulnerabilities2021-05-25
OSV
CVE-2021-32617: Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files2021-05-17

📋Vendor Advisories

4
Ubuntu
Exiv2 vulnerabilities2021-05-25
Red Hat
exiv2: DoS due to quadratic complexity in ProcessUTF8Portion2021-05-16
Microsoft
Denial of service in Exiv22021-05-11
Debian
CVE-2021-32617: exiv2 - Exiv2 is a command-line utility and C++ library for reading, writing, deleting, ...2021

📐Framework References

1
CWE
Inefficient Algorithmic Complexity