CVE-2021-37621 — Infinite Loop in Exiv2

CWE-835 — Infinite Loop7 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 75.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Debian Exiv2 Debian Linux +4 more

Timeline

PublishedAug 9

Latest updateAug 17

Description

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/exiv2< exiv2 0.27.5-1 (bookworm)

▶Debianexiv2/exiv2< 0.27.3-3+deb11u2+3

▶Ubuntuexiv2/exiv2< 0.25-3.1ubuntu0.18.04.11+2

▶NVDexiv2/exiv20.27.4

▶msrcmsrc/cbl2_exiv2_0.27.5-1_on_cbl_mariner_2.0

Also affects: Debian Linux 10.0, Fedora 33, 34

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

exiv2 vulnerabilities↗2021-08-17

▶

OSV

CVE-2021-37621: Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files↗2021-08-09

▶

📋Vendor Advisories

Ubuntu

Exiv2 vulnerabilities↗2021-08-17

▶

Microsoft

Denial of service due to infinite loop in Image::printIFDStructure↗2021-08-10

▶

Red Hat

exiv2: DoS due to infinite loop in Image::printIFDStructure↗2021-08-08

▶

Debian

CVE-2021-37621: exiv2 - Exiv2 is a command-line utility and C++ library for reading, writing, deleting, ...↗2021

▶