CVE-2021-22204

2021-04-2300:00:00

ubuntu.com

exiftool

cve-2021-22204

djvu

unix

arbitrary code execution

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.967

Percentile

99.7%

JSON

Improper neutralization of user data in the DjVu file format in ExifTool
versions 7.44 and up allows arbitrary code execution when parsing the
malicious image

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlibimage-exiftool-perl< 10.80-1ubuntu0.1UNKNOWN
ubuntu20.04noarchlibimage-exiftool-perl< 11.88-1ubuntu0.1UNKNOWN
ubuntu20.10noarchlibimage-exiftool-perl< 12.05-1ubuntu0.1UNKNOWN
ubuntu21.04noarchlibimage-exiftool-perl< 12.16+dfsg-1ubuntu0.1UNKNOWN
ubuntu16.04noarchlibimage-exiftool-perl< 10.10-1ubuntu0.1~esm1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	libimage-exiftool-perl	< 10.80-1ubuntu0.1	UNKNOWN
ubuntu	20.04	noarch	libimage-exiftool-perl	< 11.88-1ubuntu0.1	UNKNOWN
ubuntu	20.10	noarch	libimage-exiftool-perl	< 12.05-1ubuntu0.1	UNKNOWN
ubuntu	21.04	noarch	libimage-exiftool-perl	< 12.16+dfsg-1ubuntu0.1	UNKNOWN
ubuntu	16.04	noarch	libimage-exiftool-perl	< 10.10-1ubuntu0.1~esm1	UNKNOWN