CVE-2021-37619
Summary
| CVE | CVE-2021-37619 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-08-09 19:15:00 UTC |
|---|
| Updated | 2023-12-22 10:15:00 UTC |
|---|
| Description | Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.5. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Fix incorrect loop condition by kevinbackhouse · Pull Request #1752 · Exiv2/exiv2 · GitHub |
MISC |
github.com |
|
| Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header · Advisory · Exiv2/exiv2 · GitHub |
CONFIRM |
github.com |
|
| Exiv2: Multiple Vulnerabilities (GLSA 202312-06) — Gentoo security |
|
security.gentoo.org |
|
| [SECURITY] Fedora 33 Update: mingw-exiv2-0.27.4-3.fc33 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
|
| [SECURITY] Fedora 34 Update: mingw-exiv2-0.27.4-3.fc34 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
|
| [SECURITY] Fedora 33 Update: mingw-exiv2-0.27.4-3.fc33 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| [SECURITY] Fedora 34 Update: mingw-exiv2-0.27.4-3.fc34 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159486 Oracle Enterprise Linux Security Update for compat-exiv2-026 (ELSA-2021-4319)
- 182356 Debian Security Update for exiv2 (CVE-2021-37619)
- 198462 Ubuntu Security Notification for Exiv2 Vulnerabilities (USN-5043-1)
- 239787 Red Hat Update for exiv2 security (RHSA-2021:4173)
- 239824 Red Hat Update for compat-exiv2-026 (RHSA-2021:4319)
- 281833 Fedora Security Update for mingw (FEDORA-2021-399f869889)
- 281834 Fedora Security Update for mingw (FEDORA-2021-cbaef8e2d5)
- 501842 Alpine Linux Security Update for exiv2
- 504732 Alpine Linux Security Update for exiv2
- 671049 EulerOS Security Update for exiv2 (EulerOS-SA-2021-2628)
- 710810 Gentoo Linux Exiv2 Multiple Vulnerabilities (GLSA 202312-06)
- 752681 SUSE Enterprise Linux Security Update for exiv2 (SUSE-SU-2022:3598-1)
- 900932 Common Base Linux Mariner (CBL-Mariner) Security Update for exiv2 (7221)
- 902250 Common Base Linux Mariner (CBL-Mariner) Security Update for exiv2 (7221-1)
- 940201 AlmaLinux Security Update for compat-exiv2-026 (ALSA-2021:4319)
- 940296 AlmaLinux Security Update for exiv2 (ALSA-2021:4173)
- 960736 Rocky Linux Security Update for exiv2 (RLSA-2021:4173)
- 960824 Rocky Linux Security Update for compat-exiv2-026 (RLSA-2021:4319)
