NVD Vulnerability Detail

CVE-2021-29470

Summary	Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4.
Publication Date	April 24, 2021, 4:15 a.m.
Registration Date	April 24, 2021, 10:04 a.m.
Last Update	Nov. 21, 2024, 3:01 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:exiv2:exiv2::::::::			0.27.3

Related information, measures and tools

No	URL	タグ
1	https://github.com/Exiv2/exiv2/pull/1581	Patch Third Party Advisory
2	https://github.com/Exiv2/exiv2/pull/1581	Patch Third Party Advisory
3	https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj	Patch Third Party Advisory
4	https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj	Patch Third Party Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWZLDECIXXW3CCZ3RS4A3NG5X5VE4WZM/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWZLDECIXXW3CCZ3RS4A3NG5X5VE4WZM/
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBKWLTXM7IKZ4PVGKLUQVAVFAYGGF7QR/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBKWLTXM7IKZ4PVGKLUQVAVFAYGGF7QR/
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2A5GMJEXQ5Q76JK6F6VKK5JYCLVFGKN/
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2A5GMJEXQ5Q76JK6F6VKK5JYCLVFGKN/
13	https://security.gentoo.org/glsa/202312-06
14	https://security.gentoo.org/glsa/202312-06

Common Vulnerabilities List

JVN Vulnerability Information

Exiv2 における境界外読み取りに関する脆弱性

Title	Exiv2 における境界外読み取りに関する脆弱性
Summary	Exiv2 には、境界外読み取りに関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 23, 2021, midnight
Registration Date	Dec. 27, 2021, 11:07 a.m.
Last Update	Dec. 27, 2021, 11:07 a.m.

Affected System

Fedora Project

Fedora

Exiv2 project

Exiv2 0.27.3 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-29470	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
National Vulnerability Database (NVD)
2	CVE-2021-29470	https://nvd.nist.gov/vuln/detail/CVE-2021-29470

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-125	https://cwe.mitre.org/data/definitions/125.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2021-10d7331a31	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
GitHub
2	Add more bounds checks in Jp2Image::encodeJp2Header #1581	https://github.com/Exiv2/exiv2/pull/1581
3	Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header	https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj

Change Log

No	Changed Details	Date of change
1	[2021年12月27日] 掲載	Dec. 27, 2021, 11:07 a.m.