Vulnerability CVE-2021-22204

Vulnerability CVE-2021-22204

Published: 2021-04-23

Description:

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

See advisories in our WLB2 database:

	Topic	Author	Date
Med.	ExifTool DjVu ANT Perl Injection	Justin Steven	15.05.2021
High	GitLab Unauthenticated Remote ExifTool Command Injection	William Bowling	05.11.2021
High	GitLab 13.10.2 Remote Code Execution (RCE) (Unauthenticated)	Jacob Baines	17.11.2021
High	ExifTool 12.23 Arbitrary Code Execution	UNICORD	11.05.2022

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

References:

https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800

https://hackerone.com/reports/1154542

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json

Vulnerability CVE-2021-22204

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

See advisories in our WLB2 database:

Med.

ExifTool DjVu ANT Perl Injection

High

GitLab Unauthenticated Remote ExifTool Command Injection

High

GitLab 13.10.2 Remote Code Execution (RCE) (Unauthenticated)

High

ExifTool 12.23 Arbitrary Code Execution

CWE-78

References: