CVE-2021-22204
Publication date 23 April 2021
Last updated 21 August 2024
Ubuntu priority
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libimage-exiftool-perl | 22.04 LTS jammy |
Not affected
|
| 20.04 LTS focal |
Fixed 11.88-1ubuntu0.1
|
|
| 18.04 LTS bionic |
Fixed 10.80-1ubuntu0.1
|
|
| 16.04 LTS xenial |
Fixed 10.10-1ubuntu0.1~esm1
|
|
| 14.04 LTS trusty | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4987-1
- ExifTool vulnerability
- 10 June 2021
- USN-4987-2
- ExifTool vulnerability
- 8 February 2022
Other references
- https://bugs.launchpad.net/bugs/1925985
- https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
- https://hackerone.com/reports/1154542
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json
- https://www.cve.org/CVERecord?id=CVE-2021-22204
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog