CVE-2021-22204

Published: Apr 23, 2021Modified: Nov 3, 2025CISA KEV

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

Affected (6)

Products: Exiftool Project: Exiftool · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Exiftool Project Exiftool	From 7.44 to 12.24

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (29)

http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html

Source: cve@gitlab.com

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html

Source: cve@gitlab.com

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html

Source: cve@gitlab.com

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html

Source: cve@gitlab.com

ExploitThird Party AdvisoryVDB Entry

http://www.openwall.com/lists/oss-security/2021/05/09/1

Source: cve@gitlab.com

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/05/10/5

Source: cve@gitlab.com

Mailing ListThird Party Advisory

https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800

Source: cve@gitlab.com

Patch

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json

Source: cve@gitlab.com

Third Party Advisory

https://hackerone.com/reports/1154542

Source: cve@gitlab.com

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html

Source: cve@gitlab.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/

Source: cve@gitlab.com

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/

Source: cve@gitlab.com

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/

Source: cve@gitlab.com

Release Notes

https://www.debian.org/security/2021/dsa-4910

Source: cve@gitlab.com

Mailing ListThird Party Advisory

http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html