Vulnerability Details : CVE-2021-22204
Public exploit exists!
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
CVE-2021-22204 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
ExifTool Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
Added on
2021-11-17
Action due date
2021-12-01
Exploit prediction scoring system (EPSS) score for CVE-2021-22204
Probability of exploitation activity in the next 30 days: 92.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 99 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2021-22204
-
GitLab Unauthenticated Remote ExifTool Command Injection
Disclosure Date: 2021-04-14First seen: 2022-12-23exploit/multi/http/gitlab_exif_rceThis module exploits an unauthenticated file upload and command injection vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6, and 13.8.8. Exploitation will result in command executio -
ExifTool DjVu ANT Perl injection
Disclosure Date: 2021-05-24First seen: 2021-05-12exploit/unix/fileformat/exiftool_djvu_ant_perl_injectionThis module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using
CVSS scores for CVE-2021-22204
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
6.8
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
2.5
|
3.7
|
GitLab Inc. |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2021-22204
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-22204
-
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
Update to 12.24 · exiftool/exiftool@cf0f4e7 · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4910
Debian -- Security Information -- DSA-4910-1 libimage-exiftool-perlThird Party Advisory
-
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
GitLab 13.10.2 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html
ExifTool 12.23 Arbitrary Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2021/05/09/1
oss-security - [CVE-2021-22204] ExifTool - Arbitrary code execution in the DjVu module when parsing a malicious imageMailing List;Third Party Advisory
-
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json
2021/CVE-2021-22204.json · master · GitLab.org / cves · GitLabThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/
[SECURITY] Fedora 33 Update: perl-Image-ExifTool-12.16-3.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://hackerone.com/reports/1154542
Sign inPermissions Required;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html
[SECURITY] [DLA 2663-1] libimage-exiftool-perl security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/
[SECURITY] Fedora 34 Update: perl-Image-ExifTool-12.16-3.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/
[SECURITY] Fedora 32 Update: perl-Image-ExifTool-12.16-3.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/05/10/5
oss-security - Re: [CVE-2021-22204] ExifTool - Arbitrary code execution in the DjVu module when parsing a malicious imageMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html
ExifTool DjVu ANT Perl Injection ≈ Packet StormThird Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html
GitLab Unauthenticated Remote ExifTool Command Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2021-22204
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:exiftool_project:exiftool:*:*:*:*:*:*:*:*