Lucene search

K
cvelistGitHub_MCVELIST:CVE-2021-37622
HistoryAug 09, 2021 - 12:00 a.m.

CVE-2021-37622 Denial of service due to infinite loop in JpegBase::printStructure (#1)

2021-08-0900:00:00
CWE-835
GitHub_M
www.cve.org
8
exiv2
denial of service
infinite loop
jpegbase
crafted image file
metadata
vulnerability
version 0.27.5

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

44.7%

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (-d I rm). The bug is fixed in version v0.27.5.

CNA Affected

[
  {
    "vendor": "Exiv2",
    "product": "exiv2",
    "versions": [
      {
        "version": "<= 0.27.4",
        "status": "affected"
      }
    ]
  }
]

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

44.7%