Vulnerability CVE-2021-22204


Published: 2021-04-23

Description:
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

See advisories in our WLB2 database:
Topic
Author
Date
Med.
ExifTool DjVu ANT Perl Injection
Justin Steven
15.05.2021
High
GitLab Unauthenticated Remote ExifTool Command Injection
William Bowling
05.11.2021
High
GitLab 13.10.2 Remote Code Execution (RCE) (Unauthenticated)
Jacob Baines
17.11.2021
High
ExifTool 12.23 Arbitrary Code Execution
UNICORD
11.05.2022

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

 References:
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
https://hackerone.com/reports/1154542
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json

Copyright 2024, cxsecurity.com

 

Back to Top