Fluid Attacks Database

Description

An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based buffer overflow and cause a denial of service (DOS) via crafted metadata.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	exiv2	=0.27.3-3 \|\| >=0 <0.27.3-3+deb11u1	0.27.3-3+deb11u1
debian 12	exiv2	>=0 <0.27.3-3.1	0.27.3-3.1
debian 14	exiv2	>=0 <0.27.3-3.1	0.27.3-3.1
pypi	exiv2	=0.1 \|\| =0.11.0 \|\| =0.11.1 \|\| =0.11.2 \|\| =0.11.3 \|\| =0.12.0 \|\| =0.12.1 \|\| =0.13.0 \|\| =0.13.1 \|\| =0.13.2 \|\| =0.14.0 \|\| =0.14.1 \|\| =0.2 \|\| =0.3 \|\| =0.3.1 \|\| =0.15.0 \|\| =0.16.0 \|\| =0.16.1 \|\| =0.16.2 \|\| =0.16.2.post1 \|\| =0.16.3 \|\| =0.16.3.post1 \|\| =0.17.0 \|\| =0.17.1 \|\| =0.17.2 \|\| =0.17.3 \|\| =0.17.4 \|\| =0.17.5	-
debian 13	exiv2	>=0 <0.27.3-3.1	0.27.3-3.1
rpm rhel7	compat-exiv2-026	-	-
rpm rhel7	compat-exiv2-023	-	-
rpm rhel8	compat-exiv2-026	<0:0.26-6.el8	0:0.26-6.el8
rpm rhel8	exiv2	<0:0.27.4-5.el8	0:0.27.4-5.el8
rpm rhel7	exiv2	-	-

1-10 of 11

Aliases

1. CVE-2021-312922. NVD-2021-312923. OSV-DEBIAN-2021-312924. OSV-2021-312925. OSV-PYSEC-2021-8776. GCVE-2021-312927. SECURITY-TRACKER-CVE-2021-312928. DEBIAN-dsa-49589. lists.debian.org

References

1. https://github.com/Exiv2/exiv2/issues/15302. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/3. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.