← Back to CVEs
CVE-2021-22204
MEDIUMCISA KEV6.8
Description
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
CVE Details
CVSS v3.1 Score6.8
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack VectorLOCAL
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published4/23/2021
Last Modified11/3/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorPerl
ProductExiftool
Vulnerability NameExifTool Remote Code Execution Vulnerability
KEV Date Added2021-11-17
Remediation Due Date2021-12-01
Ransomware UseUnknown
Affected Products
debian:debian_linuxexiftool_project:exiftoolfedoraproject:fedora
Weaknesses (CWE)
CWE-94CWE-94
References
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html(cve@gitlab.com)
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html(cve@gitlab.com)
http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html(cve@gitlab.com)
http://www.openwall.com/lists/oss-security/2021/05/09/1(cve@gitlab.com)
http://www.openwall.com/lists/oss-security/2021/05/10/5(cve@gitlab.com)
https://hackerone.com/reports/1154542(cve@gitlab.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/(cve@gitlab.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/(cve@gitlab.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/(cve@gitlab.com)
https://www.debian.org/security/2021/dsa-4910(cve@gitlab.com)
http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/05/09/1(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/05/10/5(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800(af854a3a-2127-422b-91ae-364da2661108)
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json(af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1154542(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4910(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22204(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.