Gentoo update for Exiv2
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2020-18771 CVE-2020-18773 CVE-2020-18774 CVE-2020-18899 CVE-2021-29457 CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-31291 CVE-2021-31292 CVE-2021-32617 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623 CVE-2023-44398 |
| CWE-ID | CWE-125 CWE-119 CWE-369 CWE-770 CWE-787 CWE-200 CWE-400 CWE-617 CWE-835 CWE-476 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Gentoo Linux Operating systems & Components / Operating system media-gfx/exiv2 Operating systems & Components / Operating system package or component |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU84705
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-18771
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack or gain access to sensitive information.
The vulnerability exists due to global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp. A remote attacker can perform a denial of service attack or gain access to sensitive information.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU84706
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-18773
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the decode() function in iptc.cpp. A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Division by zero
EUVDB-ID: #VU84707
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-18774
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a divide by zero error within the printLong() function in tags_int.cpp. A remote attacker can pass a specially crafted file to the application and perform a denial of service (DoS) attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU84708
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-18899
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an uncontrolled memory allocation in DataBufdata(subBox.length-sizeof(box)) function. A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Heap-based buffer overflow
EUVDB-ID: #VU55920
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29457
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim top open a specially crafted image, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds read
EUVDB-ID: #VU84709
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29458
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the Exiv2::Internal::CrwMap::encode() function. A remote attacker can pass a specially crafted file to the application and perform a denial of service attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU84710
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29463
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within Exiv2::WebPImage::doWriteMetadata(). A remote attacker can pass a specially crafted file to the application and perform a denial of service attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds write
EUVDB-ID: #VU84711
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-29464
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in Exiv2::Jp2Image::encodeJp2Header(). A remote attacker can pass specially crafted file to the application, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU84712
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29470
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in Exiv2::Jp2Image::encodeJp2Header(). A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds read
EUVDB-ID: #VU55921
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-29473
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when processing Exif, IPTC, XMP and ICC image metadata. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and crash the affected application.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Information disclosure
EUVDB-ID: #VU53298
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-29623
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a read of uninitialized memory flaw. A remote attacker can trick a victim to open a specially crafted image file and gain unauthorized access to sensitive information on the system.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Heap-based buffer overflow
EUVDB-ID: #VU55973
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-31291
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in jp2image.cpp in Exiv2. A remote attacker can use crafted metadata to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Integer overflow
EUVDB-ID: #VU55922
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-31292
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to integer overflow CrwMap::encode0x1810 of Exiv2. A remote attacker can pass specially crafted data to the application, trigger integer overflow and crash the application.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Resource exhaustion
EUVDB-ID: #VU67973
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-32617
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application uses an inefficient algorithm (quadratic complexity) when writing metadata into a crafted image file. A remote attacker can trick trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Reachable Assertion
EUVDB-ID: #VU69648
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-32815
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when handling metadata of image files. A remote attacker can pass a specially crafted image to the application and perform a denial of service (DoS) attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Infinite loop
EUVDB-ID: #VU69649
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-34334
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing metadata of image files. A remote attacker can pass a specially crafted image to the application, consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Division by zero
EUVDB-ID: #VU84713
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-34335
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to divide by zero error in Exiv2::Internal::resolveLens0xffff(). A remote attacker can pass specially crafted file to the application and crash it.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) NULL pointer dereference
EUVDB-ID: #VU84714
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37615
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in Exiv2::Internal::resolveLens0x319(). A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) NULL pointer dereference
EUVDB-ID: #VU84715
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37616
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in Exiv2::Internal::resolveLens0x8ff(). A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Out-of-bounds read
EUVDB-ID: #VU84716
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37618
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in Exiv2::Jp2Image::printStructure(). A remote attacker can pass a specially crafted file to the application, trigger an out-of-bounds read error and perform a denial of service attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Out-of-bounds read
EUVDB-ID: #VU84717
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37619
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Out-of-bounds read
EUVDB-ID: #VU69650
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37620
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when processing metadata of a crafted image file. A remote attacker can pass a specially crafted image file to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
Update the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Infinite loop
EUVDB-ID: #VU84718
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37621
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in Image::printIFDStructure(). A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Infinite loop
EUVDB-ID: #VU84719
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37622
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in JpegBase::printStructure(). A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Infinite loop
EUVDB-ID: #VU84720
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37623
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in JpegBase::printStructure. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Out-of-bounds write
EUVDB-ID: #VU82730
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-44398
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in BmffImage::brotliUncompress. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version: 0.28.1
Gentoo Linux: All versions
media-gfx/exiv2: before 0.28.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:o:gentoo:media-gfx_exiv2:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202312-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
