CVE-2021-37620

low-risk
Published 2021-08-09

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.

Do I need to act?

-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.7/10 Medium
LOCAL / HIGH complexity

Affected Products (4)

Affected Vendors

Debian Fedoraproject Exiv2

References (12)

Patch https://github.com/Exiv2/exiv2/pull/1769
Third Party Advisory https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://security.gentoo.org/glsa/202312-06
Patch https://github.com/Exiv2/exiv2/pull/1769
Third Party Advisory https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://security.gentoo.org/glsa/202312-06
22
/ 100
low-risk
Severity 12/34 · Low
Exploitability 0/34 · Minimal
Exposure 10/34 · Low