CVE-2021-37621: Denial of service due to infinite loop in Image::printIFDStructure
First published: Mon Aug 09 2021(Updated: )
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CentOS Dos2unix | <=0.27.4 | |
| Fedora | =33 | |
| Fedora | =34 | |
| Debian | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Exiv2/exiv2/pull/1778
- https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg
- https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/
- https://security.gentoo.org/glsa/202312-06
Frequently Asked Questions
What is the severity of CVE-2021-37621?
CVE-2021-37621 has a severity rating classified as medium due to the potential for an infinite loop leading to resource consumption.
How do I fix CVE-2021-37621?
To fix CVE-2021-37621, users should upgrade Exiv2 to version 0.27.5 or later where the vulnerability is addressed.
What versions are affected by CVE-2021-37621?
CVE-2021-37621 affects Exiv2 versions up to and including 0.27.4 and certain versions of Fedora and Debian Linux.
What types of attacks can exploit CVE-2021-37621?
CVE-2021-37621 can be exploited by providing a crafted image file that triggers the infinite loop when its metadata is accessed.
Is CVE-2021-37621 a remote or local vulnerability?
CVE-2021-37621 can be considered a local vulnerability, as it requires local access to run the Exiv2 utility on a crafted image.
- agent/references
- agent/type
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/title
- agent/description
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/exiv2
- canonical/centos dos2unix
- version/centos dos2unix/0.27.4
- vendor/fedoraproject
- canonical/fedora
- version/fedora/33
- version/fedora/34
- vendor/debian
- canonical/debian
- version/debian/10.0