CVE-2021-32815

EPSS 0.15%
Published 09.08.2021 18:15:07
Last modified 21.11.2024 06:07:48
Source security-advisories@github.com
Teams watchlist Login
Open Login

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. ### Patches The bug is fixed in version v0.27.5. ### References Regression test and bug fix: #1739 ### For more information Please see our [security policy](https://github.com/Exiv2/exiv2/security/policy) for information about Exiv2 security.

Affected products Warnungen 0 Metrics 4 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Exiv2 ≫ Exiv2 Version <= 0.27.4

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.366

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:N/A:P
security-advisories@github.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html

Third Party Advisory

Mailing List

https://security.gentoo.org/glsa/202312-06

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/

https://github.com/Exiv2/exiv2/pull/1739

Patch

Third Party Advisory

https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh2-m49m

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-32815

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32815

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32815

EUVD