openEuler 22.03 LTS update for exiv2
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2019-13108 CVE-2019-13504 CVE-2021-37616 CVE-2021-37615 CVE-2021-32815 CVE-2021-37623 CVE-2021-37622 CVE-2021-34334 CVE-2021-37620 CVE-2021-37621 CVE-2021-34335 CVE-2021-37618 CVE-2021-31292 CVE-2021-37619 |
| CWE-ID | CWE-190 CWE-125 CWE-476 CWE-617 CWE-835 CWE-369 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
openEuler Operating systems & Components / Operating system exiv2-help Operating systems & Components / Operating system package or component exiv2-debuginfo Operating systems & Components / Operating system package or component exiv2-debugsource Operating systems & Components / Operating system package or component exiv2-devel Operating systems & Components / Operating system package or component exiv2 Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU19509
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13108
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in Exiv2 through 0.27.1 due to PngImage::readMetadata mishandles a zero value for iccOffset. A remote attacker can create a crafted PNG image file, trigger integer overflow and perform denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU19220
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-13504
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a targeted system.
The vulnerability exists due to an out-of-bounds read error in the "Exiv2::MrwImage::readMetadata" function in the "mrwimage.cpp" file. A remote attacker can create a specially crafted media file, trick the victim into opening it and cause the affected application to crash.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) NULL pointer dereference
EUVDB-ID: #VU84715
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37616
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in Exiv2::Internal::resolveLens0x8ff(). A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) NULL pointer dereference
EUVDB-ID: #VU84714
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37615
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in Exiv2::Internal::resolveLens0x319(). A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Reachable Assertion
EUVDB-ID: #VU69648
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-32815
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when handling metadata of image files. A remote attacker can pass a specially crafted image to the application and perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Infinite loop
EUVDB-ID: #VU84720
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37623
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in JpegBase::printStructure. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Infinite loop
EUVDB-ID: #VU84719
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37622
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in JpegBase::printStructure(). A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Infinite loop
EUVDB-ID: #VU69649
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-34334
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing metadata of image files. A remote attacker can pass a specially crafted image to the application, consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU69650
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37620
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when processing metadata of a crafted image file. A remote attacker can pass a specially crafted image file to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Infinite loop
EUVDB-ID: #VU84718
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37621
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in Image::printIFDStructure(). A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Division by zero
EUVDB-ID: #VU84713
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-34335
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to divide by zero error in Exiv2::Internal::resolveLens0xffff(). A remote attacker can pass specially crafted file to the application and crash it.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Out-of-bounds read
EUVDB-ID: #VU84716
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37618
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in Exiv2::Jp2Image::printStructure(). A remote attacker can pass a specially crafted file to the application, trigger an out-of-bounds read error and perform a denial of service attack.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Integer overflow
EUVDB-ID: #VU55922
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31292
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to integer overflow CrwMap::encode0x1810 of Exiv2. A remote attacker can pass specially crafted data to the application, trigger integer overflow and crash the application.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Out-of-bounds read
EUVDB-ID: #VU84717
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37619
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
exiv2-help: before 0.27.5-2
exiv2-debuginfo: before 0.27.5-2
exiv2-debugsource: before 0.27.5-2
exiv2-devel: before 0.27.5-2
exiv2: before 0.27.5-2
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
