NVD Vulnerability Detail

CVE-2021-29623

Summary	Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4.
Publication Date	May 14, 2021, 2:15 a.m.
Registration Date	May 14, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:01 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:exiv2:exiv2::::::::					0.27.4

Related information, measures and tools

No	URL	タグ
1	https://github.com/Exiv2/exiv2/pull/1627	Patch Third Party Advisory
2	https://github.com/Exiv2/exiv2/pull/1627	Patch Third Party Advisory
3	https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v	Patch Third Party Advisory
4	https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v	Patch Third Party Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2BPQNJKTRIDINTVJ22QMMTIZEPHVKXK/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2BPQNJKTRIDINTVJ22QMMTIZEPHVKXK/
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQAKFIQHW2AS3AGSJM42ABOA6CWIJBGM/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQAKFIQHW2AS3AGSJM42ABOA6CWIJBGM/
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZ5SGWHK64TB7ADRSVBGHEPDFN5CSOO3/
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZ5SGWHK64TB7ADRSVBGHEPDFN5CSOO3/
13	https://security.gentoo.org/glsa/202312-06
14	https://security.gentoo.org/glsa/202312-06

Common Vulnerabilities List

JVN Vulnerability Information

Exiv2 における初期化されていないリソースの使用に関する脆弱性

Title	Exiv2 における初期化されていないリソースの使用に関する脆弱性
Summary	Exiv2 には、初期化されていないリソースの使用に関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 13, 2021, midnight
Registration Date	Jan. 31, 2022, 12:11 p.m.
Last Update	Jan. 31, 2022, 12:11 p.m.

Affected System

Exiv2 project

Exiv2 0.27.3 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-29623	https://www.cve.org/CVERecord?id=CVE-2021-29623
National Vulnerability Database (NVD)
2	CVE-2021-29623	https://nvd.nist.gov/vuln/detail/CVE-2021-29623

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-908	http://cwe.mitre.org/data/definitions/908.html

ベンダー情報

No	Name	URL
GitHub
1	Read of uninitialized memory in isWebPType	https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v
2	Use readOrThrow to check error conditions of io.read() #1627	https://github.com/Exiv2/exiv2/pull/1627

Change Log

No	Changed Details	Date of change
1	[2022年01月31日] 掲載	Jan. 31, 2022, 12:11 p.m.