CVE-2021-22204
- Source
- https://cve.org/CVERecord?id=CVE-2021-22204
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22204.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-22204
- Downstream
- Related
- Published
- 2021-04-23T18:15:08.127Z
- Modified
- 2026-03-20T11:38:50.757212Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
- References
-
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22204
- http://www.openwall.com/lists/oss-security/2021/05/09/1
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/
- https://www.debian.org/security/2021/dsa-4910
- https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/
- http://www.openwall.com/lists/oss-security/2021/05/10/5
- https://hackerone.com/reports/1154542
- https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
- http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html
- http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html
- http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html
Affected packages
Git / github.com/exiftool/exiftool
Affected versions
10.*
10.00
10.01
10.02
10.03
10.04
10.05
10.06
10.07
10.08
10.09
10.10
10.11
10.12
10.13
10.14
10.15
10.16
10.17
10.18
10.19
10.20
10.21
10.22
10.23
10.24
10.25
10.26
10.27
10.28
10.29
10.30
10.31
10.32
10.33
10.34
10.35
10.36
10.37
10.38
10.39
10.40
10.41
10.42
10.43
10.44
10.45
10.46
10.47
10.48
10.49
10.50
10.51
10.52
10.53
10.54
10.55
10.56
10.57
10.58
10.59
10.60
10.61
10.62
10.63
10.64
10.65
10.66
10.67
10.68
10.69
10.71
10.72
10.73
10.74
10.75
10.76
10.77
10.78
10.79
10.81
10.82
10.83
10.84
10.85
10.86
10.87
10.88
10.89
10.90
10.91
10.92
10.93
10.94
10.95
10.96
10.97
10.98
10.99
11.*
11.00
11.01
11.02
11.03
11.04
11.05
11.06
11.07
11.08
11.09
11.10
11.11
11.12
11.13
11.14
11.15
11.16
11.17
11.18
11.19
11.20
11.21
11.22
11.23
11.24
11.25
11.26
11.27
11.28
11.29
11.30
11.31
11.32
11.33
11.34
11.35
11.36
11.37
11.38
11.39
11.40
11.41
11.42
11.43
11.44
11.45
11.46
11.47
11.48
11.49
11.50
11.51
11.52
11.53
11.54
11.55
11.56
11.57
11.58
11.59
11.60
11.61
11.62
11.63
11.64
11.65
11.66
11.67
11.68
11.69
11.70
11.71
11.72
11.73
11.74
11.75
11.76
11.77
11.78
11.79
11.80
11.81
11.82
11.83
11.84
11.85
11.86
11.87
11.88
11.89
11.90
11.91
11.92
11.93
11.94
11.95
11.96
11.97
11.98
11.99
12.*
12.00
12.01
12.02
12.03
12.04
12.05
12.06
12.07
12.08
12.09
12.10
12.11
12.12
12.13
12.14
12.15
12.16
12.17
12.18
12.19
12.20
12.21
12.22
12.23
9.*
9.71
9.72
9.73
9.74
9.75
9.76
9.77
9.78
9.79
9.80
9.81
9.82
9.83
9.84
9.85
9.86
9.87
9.88
9.89
9.90
9.91
9.92
9.93
9.94
9.95
9.96
9.97
9.98
9.99
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22204.json"