CVE-2021-37621

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.

CVSS v3 5.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/Exiv2/exiv2/pull/1778	Patch Third Party Advisory
https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/
https://security.gentoo.org/glsa/202312-06

Configurations

Configuration 1 (hide)

cpe:2.3:a:exiv2:exiv2:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

22 Dec 2023, 10:15

Type	Values Removed	Values Added
References		() https://security.gentoo.org/glsa/202312-06 -

07 Nov 2023, 03:36

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/', 'name': 'FEDORA-2021-399f869889', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/', 'name': 'FEDORA-2021-cbaef8e2d5', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/ -

13 Jan 2023, 19:58

Type	Values Removed	Values Added
First Time		Debian Debian debian Linux
CPE		cpe:2.3:o:debian:debian_linux:10.0:::::::*
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - Mailing List, Third Party Advisory

10 Jan 2023, 19:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html -

21 Sep 2021, 17:10

Type	Values Removed	Values Added
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/ - Mailing List, Third Party Advisory
CPE		cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:o:fedoraproject:fedora:33:::::::*

20 Aug 2021, 03:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/ -

17 Aug 2021, 14:41

Type	Values Removed	Values Added
CPE		cpe:2.3:a:exiv2:exiv2::::::::
References	~~(MISC) https://github.com/Exiv2/exiv2/pull/1778 -~~	(MISC) https://github.com/Exiv2/exiv2/pull/1778 - Patch, Third Party Advisory
References	~~(CONFIRM) https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg -~~	(CONFIRM) https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg - Third Party Advisory
CWE		CWE-835
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.3 v3 : 5.5

09 Aug 2021, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-08-09 19:15

Updated : 2023-12-22 10:15

NVD link : CVE-2021-37621

Mitre link : CVE-2021-37621

CVE.ORG link : CVE-2021-37621

JSON object : View

Products Affected

debian

debian_linux

fedoraproject

fedora

exiv2

exiv2

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

5.5 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2021-37621

5.5^/10

4.3^/10

Attach tags to `CVE-2021-37621`